[This Transcript is Unedited]

Department Of Health and Human Services

National Committee on Vital and Health Statistics

Subcommittee on Standards and Security

February 2, 2005

Hubert H. Humphrey Building
200 Independence Avenue, SW
Washington, D.C. 20201

Proceedings By:
CASET Associates, Ltd.
10201 Lee Highway, Suite 160
Fairfax, Virginia 22030
(703) 352-0091

TABLE OF CONTENTS


P R O C E E D I N G S [8:43 a.m.]

AGENDA ITEM: Call to Order, Welcome and Introductions – Simon Cohn, Chair

DR. COHN: Okay, we’re going to get started here in just a
moment. Now, just a check here; Stan Huff, are you on the phone?

DR. HUFF (on phone): Yes, I am.

DR. COHN: Okay, great. Welcome. Okay, would everyone please be
seated? We’ll get started here momentarily. I want to apologize to everybody
for running a couple minutes late. On the other hand, in California it is 5:43
in the morning at this point, so –

Good morning. I want to call this meeting to order. This is the
second day of meetings of the Subcommittee on Standards and Security of the
National Committee on Vital and Health Statistics. The Committee is the main
public advisory committee to the U.S. Department of Health and Human Services
on national health information policy.

I’m Simon Cohn, Chairman of the Subcommittee, newly appointed
Chairman of the full Committee, and the Associate Executive Director for Health
Information Policy for Kaiser Permanente. I want to welcome fellow Subcommittee
members, HHS staff, and others here in person; also welcome those listening in
on the Internet, and as always, I want to remind everyone to speak clearly and
into the microphone.

This morning, we begin with a presentation by the Designated
Standards Maintenance Organizations presenting their annual report, and I want
to thank Gary Beatty for coming out to join us. This is just a first discussion
this year of the DSMO reports and recommendations and we’ll be having wider
discussions of the DSMO recommendations as well as industry comments at our
April 6th and 7th hearings.

Then we will spend the remainder of the morning on Subcommittee
discussions of our next set of e-prescribing recommendations, and then we’ll
finish up with a discussion basically relating to any comments we may want to
make relating to the new proposed regulation relating to e-prescribing and
planning for next steps.

As noted on your agendas, we’re trying to adjourn no later than
12:30.

I want to emphasize that this is an open session. Those in
attendance are welcome to make brief remarks if you have information pertinent
to the subjects being addressed.

Finally, for those on the Internet, we do welcome email and
letters on any of the issues coming before us today.

With that, let’s have introductions around the

table and then around the room. For those on the National
Committee, I would ask if you have any conflicts to interest coming before us
today, would you please so publicly indicate during your introduction? And we
will obviously include Stan Huff, even though he’s calling in, as part of those
introductions. And, Stan, why don’t we start with you, since I’m mentioning
your name?

DR. HUFF: Okay. This is Stan Huff. I’m with Intermountain
Health Care and the University of Utah in Salt Lake City, and I will be with
the meeting until about 11:30, Simon, and then my other conflicts come into
play.

DR. COHN: Okay. Well, thank you. Do you have any conflicts?

DR. HUFF: Not as far as I know right now.

DR. COHN: Okay.

[Laughter.]

DR. COHN: Until we discuss something, hah?

[Laughter.]

DR. HUFF: Well, I guess with the DSMO, I mean, yes, just let
people know that I am a Vocabulary Co-Chair within HL7 and a previous Chair of
HL7, so I guess people should be aware of that as a potential conflict.

DR. COHN: Okay, and well said. Jeff?

MR. BLAIR: Jeff Blair, Vice President of Medical Records
Institute, Vice Chair of the Subcommittee. I don’t

expect there to be any conflicts; however, it should be noted
that my employer heads ASTM E31, so if a discussion or a vote comes up related
to that, I’ll point that out.

MR. STEINDEL: Steve Steindel, Centers for Disease Control and
Prevention, staff to the Subcommittee and liaison to the full Committee.

DR. FITZMAURICE: Michael Fitzmaurice, Agency for Healthcare
Research and Quality, staff to the Subcommittee on Standards and Security,
liaison to the full Committee.

DR. FERRER: Jorge Ferrer, Veterans Health Administration, staff
to the Subcommittee.

MR. BEATTY: Gary Beatty, 2004 Chair of the Designated
Standards Maintenance Organizations and also current Chair of the X12N
Insurance Subcommittee.

MS. AMATAYAKUL: Margaret Amatayakul. I’m a contractor to the
Subcommittee.

MS. PICKETT: Donna Pickett, National Center for Health
Statistics, CDC, and staff to the Subcommittee.

MS. GREENBERG: Marjorie Greenberg, National Center for Health
Statistics, CDC, and Executive Secretary to the Committee.

MR. REYNOLDS: Harry Reynolds, Blue Cross Blue Shield of North
Carolina, member of the Committee, and no conflicts.

MS. WARREN: Judy Warren, University of Kansas

School of Nursing. I’ll have to declare the way Stan did for
the DSMO report because I am Co-Chair of HL7’s Patient Care Technical
Committee.

MS. BURKE-BEEBE: Suzie Beebe, Assistant Secretary for Planning
and Evaluation, staff to the Subcommittee.

MR. MUSCO: Tom Musco, in the Office of Health Policy of ASPE.

MR. BIZZARO: Tom Bizzaro, First DataBank.

MS. HELM: Jill Helm, Allscripts.

MS. ECKERT: Karen Eckert, Medi-Span.

MS. GILBERTSON: Lynne Gilbertson, National Council for
Prescription Drug Programs.

MR. BROOK: Richard Brook, ProxyMed.

MS. REED-FORQUET: Lori Reed-Forquet, ASTM.

MR. SCHUETH: Tony Schueth, Point-of-Care Partners.

MR. SIMCO: Mike Simco, Walgreen’s.

MS. WILLIAMSON: Michelle Williamson, National Center for
Health Statistics, CDC.

DR. COHN: Okay. Good morning, everyone. I guess I should also
publicly disclose that I’m a member of the National eForum Claims Committee
representing America’s health information plans, so I think you’re going to be
testifying to a pretty conflicted bunch, Gary!

[Laughter.]

DR. COHN: Obviously, the reason we’re all here is we’re all
experts in the field, and as you know, that involvement sort of goes along with
that. But anyway, we look forward to your testimony, so please go forward.

Agenda Item: DSMO Annual Report – Gary
Beatty

MR. BEATTY: Very good. Well, good morning, and thank you for
the opportunity to testify before you this morning to provide the 2004 annual
DSMO Report.

Before you, you have two different hand-outs; you have one
hand-out that is the actual report for this past year, and then you also have
the detail that goes with it, the appendix.

This year, our DSMO annual report will focus more on the
process improvements to the timeliness and predictability of the changes that
HIPAA has imposed on the standards development process from both a short-term
emergency perspective and a long-term perspective process rather than our
ongoing change request process.

This DSMO report covers a total of 16 months. During this
period, the DSMO only had 35 change requests. The monthly volume of submitted
DSMO change requests dropped from 11.4 to 4.2. The number of change requests
completing the DSMO dropped from 8.4 to 2.2 monthly. This year, the DSMO did
not receive any new appeals; one appeal

from the last annual report was completed during this last
reporting period.

The reason or reasons for this decline in the change requests
are unclear. One possibility: It’s a sign of the maturity of the health care
industry’s implementation of the current transaction standards. Another
possibility is the change requests can be submitted directly to the Standards
Development Organizations, the SDOs, rather than the DSMO change request
system.

The SDOs either track already or are developing processes to
track modifications to show DSMO change requests versus the DSMO change
process. Whatever the reasons, there is continued need to insure that the
change request protocol remains responsive and appropriate to the needs of the
community being served, and the DSMO Steering Committee has done so.

During this period, the DSMO began processing its first
request to adopt a new version of an already adopted HIPAA transaction. The
DSMO is currently requesting the collection of supporting cost/benefit
information from the industry such as WEDI, AMA, ADA, AHA which will be
presented at a future hearing to begin the next steps towards processing the
adoption of the new version of a HIPAA transaction.

On Page 3, we have a graph that shows the number

of change requests processed, excluding withdrawn changes,
since the DSMO started processing change requests. As you look at the chart, it
clearly showed the time frame for the fast track – which is the first
spike that we have back in 2001, in February, where we went through the changes
that were allowed during the first 12 months after the transactions were
adopted; it also shows the other spike that we had just before the Oct. 16,
2002, transaction deadline. And then it also shows the tapering off the change
request workload that the DSMO had been processing on a monthly basis.

The DSMO has taken steps to improve the overall change
management and development process in two ways. Most notably, public
improvement has been a major revision to the DSMO website, which is
www.hipaa-dsmo.org, which supports the change request system. The site now
requires a more robust change request submission, and all requests in the batch
need no longer proceed in lockstep so that we can separate them out and process
them at different stages.

The CRS support of the code set change requests is on the
horizon. Further, the DSMO continues to work with HHS on ways to facilitate
implementation of the existing HIPAA standards and arrive at processes that
expedite change arising from regulatory requirements.

The DSMO Steering Committee wishes to express its

appreciation to Washington Publishing Company for its continued
and outstanding support of the HIPAA-DSMO website. The DSMO also wants to
recognize the individuals and organizations that constitute the Standards
Development Organizations and the Data Content Committees. Their participation
furthers the cause of administrative simplification. And we’d also like to
recognize our HHS observers, Stanley Nachimson and Gladys Wheeler.

Those organizations that are represented are on Page 4 –
myself, Larry Watkins and Alix Goss from an X12 perspective; Health Level
Seven, we have Maria Ward and Chuck Meyer; from the National Council for
Prescription Drug Programs, Margaret Weiker and Lynne Gilbertson.

From the Data Content Committees, we have Frank Pokorny and
Robert Lapp from the Dental Content Committee; the National Uniform Billing
Committee, George Arges and Todd Omundson; and the National Uniform Claim
Committee, Jean Narcisi and Michael Beebe.

I’m going to continue with the report on Page 6 of the report,
which kind of dives a little bit deeper into the change requests that we’ve
received during the past 16-month period.

The DSMO Steering Committee report basically ranges from March
31st, 2004; it covers the period from May through June. This was a
14-month period. That was our

prior report. This one is going to be a 16-month report, so
when we compare the numbers, we really are trying to break down with kind of
disparate numbers a month for reporting, so we have focused more on the
percents than the actual numbers.

But the first series of charts here basically show the total
changes that were submitted. We do have two categories in here for changes that
are removed either by the administrator for basically silly questions that are
submitted and things that really are not germane to the DSMO itself; we also
have those that are removed from the submitter on here. We have the total
number that we did process, the 35 change requests, and then we have on here
the one appeal that we did process.

So, during this reporting period, the number of change
requests submitted has dropped by 63 percent. The number of change requests
actually completing the DSMO process dropped by 74 percent. Actually, this last
month, we actually had one month where we did not have any change requests at
all, which is actually the first time for us.

And we’ve also seen a drop in the number of change requests
that are being actually withdrawn by the submitters.

On Page 7, we break down each of those 35 change requests by
the various categories we identified for those

change requests. That includes modifications; these are changes
that do impact those that are using the transactions, and we did receive 12 of
those.

Maintenance changes are those changes that really do not
impact the actual implementation but are more clarification types of language
and so forth that help make the implementation clearer.

Category D is basically no change, makes no change to the
actual transaction standards. We did have one for HHS policy.

And then on Page 8, we have one new category that we added
just this last year, which is Category I, for recommendations for adoption of
the new or modified HIPAA standard. These are items that are classified that
result in a recommendation to the National Committee on Vital and Health
Statistics for the adoption of a new or modified HIPAA standard. Examples might
include a request for a new transaction or a new version or release of an
already named standard for a given transaction.

This is a new category for us. We created this last September
as we received a change request to adopt a new version of the 835 transaction
for health care claim payment/remittance advices, and we’ll highlight that in a
few seconds.

Again, Appendix I completes the complete list of

all of the changes sorted by category, their definitions, and
both the requests and the DSMO response.

Three of those change requests we do want to highlight. That
is, Change Request 795, which was an appeal that was part of our last DSMO
report that now closes out that report. This change request also resulted in
the NUBC and ASC X12 attaining agreement on the definition of various provider
types.

Change Request 1005 includes a special note because of an
impact to the ICD-9 for bed confinement status which could have an impact on
future implementation.

And then we have Change Request 1008, which includes the
request to adopt a new version of a HIPAA-mandated transaction, that being the
835 transaction.

So for Change 795, go to Page 11, just as part of this one
where we were dealing with provider types. As part of those deliberations, the
DSMO, specifically the NUBC and the X12 examined the usage around all provider
types – attending, operating, et cetera. As a result of looking at the
request from a broader context and other business needs in addition to the
Medicaid situation that was identified in this change request, we have put
together a recommendation that satisfies the business needs. So, again, working
a lot more with collaboration between the DSMOs.

In Change Request 1005, again, the NCVHS notice during this
process of developing the disposition for this change request that dealt with
bed confinement, we did learn that there is a new diagnosis code for bed
confinement status that was proposed in the October, 2004, ICD-9 Coordination
and Maintenance meeting. If approved, that could impact how this segment is
used in future implementation.

So I just kind of wanted to highlight that, as we look at codes
and so forth, the impact of those possible new codes to the actual transactions
that may require future changes down the road.

Then finally, Change Request 1008, the third of these three
– we did receive, again, the request to adopt a new version of the 835 for
the permits advice claim payment. The DSMO are currently working through the
process. We have tentatively approved it, pending the collection of additional
information from a cost/benefit perspective to support this recommendation
through industry outreach, and we’re working through organizations such as
WEDI, AMA, ADA, and the AHA. This information will assist the National
Committee on Vital and Health Statistics and HHS in the decision to initiate a
Federal regulatory process to adopt this new version of 835, claim payment
remittance advice.

The DSMO would ask to be added to the agenda of a future NCVHS
Subcommittee on Standards and Security hearing to present our official
recommendation and support information to adopt this new version.

Some of the other initiatives other than the change request
process – the DSMO and the Steering Committee are continuing to address
other matters that related to the implementation standards. Some have been
completed; others are still ongoing projects. The Steering Committee
appreciates the opportunity, again, to support the HHS and the NCVHS efforts to
identify and address issues related to HIPAA-adopted standards.

Number one, basically we’re looking at the new website.
Improvements to the DSMO website providing improvements in functionality, more
accurate and complete capture of information, ease of use have been completed
and were installed in June of 2004.

Some of the enhancements include the enabling of the posting of
responses to requests that have completed the process without delay requesting
of the pended extensions; adding more structured questions to the change
request entry forms instead of relying exclusively on free-form narrative text;
we did have changing the request contact information, and then we also added
the ability for the requester to revise change requests before the end of

the month so that as they submit change requests, rather than
once it’s submitted, cutting it off, we do now allow them to make changes.

Streamlining of the HIPAA standards maintenance process is
probably where we spent most of our time this last year, is Item Number 2,
which is also one of the major items that came out from last year’s report.

During the past year, we have focused much of our efforts on
this. These efforts have been concentrated on an emergency maintenance process
as well as a long-term modification process which are consideration within the
bounds of the regulatory process.

The emergency process maintenance is the process that allows
for the industry changes to be made to an adopted HIPAA implementation
specification between modification cycles. The Department of Health and Human
Services is preparing a Notice of Proposed Rule Making (NPRM) to propose
changes to the definition of maintenance under HIPAA. The NPRM will outline and
request comments on a proposed streamlining process to the change process. This
process would streamline emergency changes through the DSMO, the SDO, and HHS,
thereby reducing the timeline for maintenance changes.

The DSMO is currently waiting for the NPRM to be published to
be able to provide comments along with possible adjustments to this maintenance
process as a result of the final regulation.

The modification process is the process that must be followed
to name a new version of a HIPAA transaction or to name a new transaction. The
modification cycle for adopted HIPAA transactions includes the DSMO change
request and approval process, the SDO’s development process, the Federal
regulatory process to adopt the newly named version or a new transaction
implementation specification, and the industry implementation of a newly named
version transaction implementation specification.

This is a multi-year process.

Another outcome of the HHS-DSMO discussions is to develop a
more predictable process for the modification of the HIPAA-adopted transaction
standards. If, for example, an SDO can publish a new version every two years
and the Federal regulatory process takes an additional two years, in the best
case there would be a new version of the implementation specifications once
every four years. The DSMO is evaluating a predictable time frame that can
establish for the industry to be notified that new versions of transactions are
named and to be implemented.

Looking ahead, the DSMO will complete the collection of
supporting cost/benefit data supporting the recommendation to adopt the 004050
version of the 835

Health Care Claim Payment/Remittance Advice. The DSMO, again,
would ask to present this in an upcoming Subcommittee meeting in the future.

The DSMO are waiting for, again, the definition for maintenance
under HIPAA in the NPRM and will adjust to that as it comes out. And the DSMO
are looking to continue to look for process improvements to develop a more
predictable, manageable, and efficient change process. Each of the Standards
Development Organizations will be working with HHS representatives to evaluate
the redundant processes where possible, including the public comment period, to
streamline that.

To close, this report reflects both completed and ongoing
efforts which will be the subject of reports in future hearings. The DSMO as a
collective organization continues to demonstrate its ability to merge both the
business and technical perspectives of the transaction standards as well as
emergency change and modification processes. The DSMO is well-positioned to
assist the National Committee on Vital and Health Statistics and HHS in
recommending modifications to the HIPAA-adopted standards or new standards yet
to be modified.

With that, I’d like to entertain any questions from the
Subcommittee.

DR. COHN: Yes. Well, Gary, thank you very much. Obviously, I
guess the proposal to, I guess, move to the next version of the 835 is really
the news here.

MR. BEATTY: That’s really the news. But at this time we’re not
ready to make that official recommendation. As we deliberated that, we needed
to be able to collect the necessary information to go along with the guiding
principles of HIPAA itself. It may help the industry be more cost effective.
What is it going to take the industry to transition from one version to the
next? What’s the cost? What’s the benefits?

And, again, we’re doing the outreach to be able to collect that
information, and as soon as we complete that, then we’ll be in a position to
actually make that recommendation to the Subcommittee.

DR. COHN: Do you think that will be an early April deliverable
potentially or is that too aggressive?

MR. BEATTY: The hope is to have that ready for April because
the Department of Health and Human Services is working right now an NPRM that’s
going to be coming out this summer, and the hope is to include this in that
regulation.

DR. COHN: Okay, great. Thank you. Michael, I saw you raising
your hand. Please?

DR. FITZMAURICE: This is a very positive report.

It seems to say that the DSMO process is settling down and that
we can focus on how to make it better and that that’s what you’ve been doing in
the past year.

I know we’ve been anxious to find out how we can streamline
things on our end, how we can make things go faster, either the regulatory
process or to find an alternative, and it looks like the DSMOs have been doing
the same thing.

Simon asked the question I asked, which was: When do you think
you’ll be ready to report? So, I don’t have any further questions. Just –
good job, Gary.

MR. BEATTY: Thank you.

DR. COHN: Harry?

MR. REYNOLDS: Yes. On Page 12 of your testimony, you talk about
the outreach that you’re doing with the industry. One thing I don’t note on
here is things like AFFECT or, just to use examples, WebMD, some of the others,
because if you look at the implementation of HIPAA, a lot of the vendor
situations and what it would take – when a cost/benefit is looked at, and
when input’s given, that may be another good set of people to reach out to,
because that’s always kind of the quiet part of HIPAA.

MR. BEATTY: Yes, absolutely.

MR. REYNOLDS: The providers and the payers and everybody are
focused on what it means –

MR. BEATTY: Right.

MR. REYNOLDS: — but the conduit that actually delivers it
tends to be those other people. So that might be a good addition to at least
consider.

MR. BEATTY: Yes.

MR. REYNOLDS: And you may have already done that, but it wasn’t
noted in here, so –

MR. BEATTY: Yes, absolutely, because as we look, so many of the
covered entities in HIPAA are very dependent upon the software vendors and
that’s definitely one of the categories of groups that we want to outreach
because they will have to go through and make modifications possibly to their
software product and so forth, and that’s part of what we have to collect as
far as the cost side. So we can identify with the benefits side and in the
outreach, we need to be able to collect: What’s the cost of making this
transition?

MR. REYNOLDS: Yes. Thank you, sir.

DR. COHN: Other comments or questions? I guess I would ask
obviously – I think perhaps it’s heartening – I don’t know whether
it’s heartening or not to look at the falloff in new suggestions, proposals or
otherwise. Do you think it relates to that either people have stabilized,
people are focused on the security implementation at this point?

I guess the other piece of all of this is that it doesn’t sound
like you’re getting a lot of requests to move to move the other transactions
forward at this point.

MR. BEATTY: Again, I wear a lot of different hats, so from a
DSMO perspective, we really don’t track the whys of what change requests are
falling off and so forth, so we really can’t say.

Other transactions are moving forward, from an X12N perspective
and an X12 perspective. We are working very diligently on Version 5010
implementation guides right now, some of those of which are already starting to
go through the X12N process to have public comments collected so that we can
move towards a final version of those.

As we progress in the future, we will see more requests similar
to the 835 to adopt newer versions of those. A lot of them are just excellent
documents that are cleaning up a lot of things that we need to clean up within
the industry and also to address the change requests that the DSMO have
received that are post fast-track process. I hate that word. But there’s a lot
of change requests that we’ve processed since then, and the newer version of
the guides are incorporating those, and so we’re working through that next
version of the implementation guides at least from an X12 perspective and we’ll
see those change requests coming forward as well in the future.

That’s part of what we’re trying to wrestle with right now
within the DSMO as we look at both the short-term and long-term process,
especially the long-term process. How do we manage change for the industry so
that we have a more predictable process for transitioning in that we don’t do
all nine transactions in the shotgun effect all at one time? And we’re trying
to find a very predictable mechanism and very timely process for moving from
one version to the next.

DR. COHN: Let me ask just a follow-on question about that
because I think it’s a very reasonable model. I think it is a lot to change
everything at once.

You know, the Subcommittee, in our discussions around
e-prescribing, has, I think, recommended the Secretary this concept of backward
compatibility and that if things are backward compatible, maybe it wouldn’t
have to go through the entire regulatory process.

Now, does that help or in any way apply to any of the
transactions that we’re talking about? I’m talking not about specifics but more
like the concept; is that at all valuable or useful when we’re talking about
the administrative and financial transactions?

MR. BEATTY: Well, as we look at the two different processes,
the redefinition of what maintenance is versus modification is, we’re working
with HHS to

develop that supporting information for the regulation that’s
coming up. Those changes that we’re looking at as far as a maintenance type of
change, again, we don’t know exactly what it says in the rule, but it’s
anticipated that those changes won’t have to go through the full regulatory
process, versus, you know, when we do change from one version of a transaction
to another or adopting the transaction itself, that that does still have to go
through the full regulatory process.

Next week, X12 and NCPDP and others at the X12 meeting in
Nashville, we’re going to be talking about other mechanisms to help streamline,
and possibly overlapping comment periods and so forth, again, looking at
different ways to improve the process so that we don’t have to take four years
or so in between versions. You know, we still have to balance out what’s too
much change and too frequent versus not having enough change within the
industry because every time we do change, there is a cost to the industry to
make those adjustments. So it’s a balancing act between the processes, so,
again, we’re looking to see what the regulations do say relative to maintenance
and what’s allowed there versus what it takes to adopt new versions.

DR. COHN: Okay, well, let me just follow-up on that for just a
second because I do understand what you’re saying. Obviously, though, what you
will see this summer

optimistically is a proposed rule –

MR. BEATTY: Right.

DR. COHN: — as opposed to a final rule, so I think that
there’s a potential difference. What I was actually just asking, and you may
want to bring back to the DSMOs just to ask them about, I was just wondering if
there was any value to perhaps looking at it differently.

Obviously, the modification pieces that you’ve talked about are
fine for emergency changes to current versions, but you still are going through
the process that we’re describing for version changes.

MR. BEATTY: Right.

DR. COHN: And once again, I don’t know the X12 transactions at
the level whether the compatibility is at all helpful or might ease some of
that transition either for the industry or for the regulatory process. And so
it was just a question. You may want to talk about it in April.

MR. BEATTY: Right. And actually, part of our 835, we’re
recognizing that the transactions, we don’t have to all stay in the version,
that, you know, if we’re on, say, for example, 4010 versions of the claim, that
the 4050 version of the 835 can be used to respond to that claim for a
remittance perspective. Certainly, backward compatibility works, and we all are
striving with that

within our standards to make sure that if we do move from one
version to the next, is there backward compatibility? We still have to deal
with the requirements in the regulations that says that only one version of any
given transaction can be active at any given point in time short of the
transition time.

DR. COHN: Okay. Jeff, you have a question?

MR. BLAIR: Yes. Congratulations for your progress.

MR. BEATTY: Thank you.

MR. BLAIR: This is a question that is not directly related to
what you do but maybe you’re in a position to give the Subcommittee a little
bit of guidance or advice on this topic because it’s related. Well, you’re
probably aware of the fact that in many cases, payers have developed companion
guides and they differ.

MR. BEATTY: Yes.

MR. BLAIR: And it undermines the ability of providers to submit
their claims in one single format and standards. The concept of HIPAA is eroded
to some degree by the companion guides. What guidance or advice do you have for
the Subcommittee as to what might be done, or could be done, or should be done
to either minimize the need for companion guides or converge the companion
guides? What guidance or advice do you have on this subject, if

any?

MR. BEATTY: Okay. I’m going to take off my DSMO hat to answer
that question, and I’ll just put my personal hat on. You know, when you look at
the X12 and implementation guides, any of the standards documents you look at,
just because of the variability in the health care industry, there’s always
going to be some situations that need to be – I like to use the word
“over-clarified.” Some of the situations are in the guides; they
state they’re dependent upon a specific relationship between payers and
providers.

We don’t have one type of health system, we have different
varieties, and so forth, so there is some room and latitude for some
flexibility. There are some things that need to be over-clarified between two
trading partners. What type of document people use to do that can change, can
vary. Some organizations use trading partner agreements, some people call them
“trading partner profiles,” and a lot of people call them
“companion guides” or “companion documents.”

I believe there’s always going to be a need for supplemental
information to clarify some of those different types of situations.

The hard part with companion guides is how some organizations
out there have misused what a companion guide

really is intended to do. And, really, a companion guide is
meant to over-clarify what is not clear in the implementation guide where there
are certain situational requirements in the documents that say that this
requirement is used at the discretion of the submitter receiver. We have some
content that’s required by payers that impacts their adjudication process for
certain types of health plans.

So the companion types of documents are meant to over-clarify
where the guide says you’re supposed to clarify something. The problem is that
some in the industry have misused that where there’s actually changing the
meaning and intent of the implementation guide itself, and that’s where the
industry really starts to run into problems.

So, companion guides are good and bad at the same time and in a
lot of cases they’re very needed documents to clarify the business situations
that are in the implementation guides but at the same time we have to guard
against organizations misusing it and basically changing the meaning and intent
of the underlying HIPAA standards that are being adopted.

MR. BLAIR: Do you think it’s possible for you or some other
appropriate group to be able to clarify where the boundaries should be on the
companion guides as to what areas of clarifications are appropriate and
reasonable and which ones impair standardization and interoperability?

MR. BEATTY: Well, I know from an X12 perspective, no. You know,
the question probably would be some of the other industry organizations, such
as WEDI and so forth – I know WEDI’s taken a lot of efforts collecting and
disseminating a lot of the companion guides and so forth – you know, is
that something that an organization like WEDI should take on? So they can go
out and collect information about what are people using the companion guides
for? What are the correct uses? What are the incorrect uses of companion
guides? Putting together essentially a white paper that could describe that

MR. BLAIR: Okay, good.

MR. BEATTY: — probably would be my recommendation.

MR. BLAIR: Thank you.

DR. COHN: Well, Gary, thank you very much. I think we’re all
very impressed with the progress being made by the DSMOs and we’ll look forward
to talking with you more. Oh – Harry, do you have a question? I’m sorry.

MR. REYNOLDS: Yes, it’s all right.

DR. COHN: Oh, please. Thought I was finishing up.

MR. REYNOLDS: If out of the review of the

companion guides comes recommendations to changes in HIPAA,
reclassify situational fields which — your earlier point — that’s the actual
ones that create a lot of issues because they were put in the regulation as
situational, which means based on the relationship between the people doing
business, that there’s a situation then that needs to be sort of clarified.

MR. BEATTY: Well, there’s actually not that many change
requests that put it at the discretion of the submitter receiver. A lot of the
situations define the business situation, if that business situation is true or
false.

But the problem comes in where it’s really at the discretion of
the submitter receiver that a given transaction –

MR. REYNOLDS: The X12 regulation gives definitions of what
should be in individual fields. It does not necessarily go into relationships.

MR. BEATTY: Define “relationship.”

MR. REYNOLDS: Admission and discharge date versus procedure
date versus those kinds of things.

MR. BEATTY: Well, the guides do define those –

MR. REYNOLDS: Okay – it defines the fields, but not the
relationship.

MR. BEATTY: Right.

MR. REYNOLDS: Okay. Because as we go forward, as you look at
X12, I think relationships — and that’s where the black and white standard is
what’s creating the industry a whole lot of mess right now, philosophically,
because it’s a black and white standard but data has relationships — and so
trying to work those out amongst all the people with contracts and everything
else.

So I’m really excited about your process. And I think as these
companion guides get worked out through WEDI or whoever works it out, then your
streamlined process of moving some of that stuff that comes out of that into
change can move things along quickly.

So that’s the real positive out of today that I saw, Simon, was
the fact that with their streamlined process, and the fact that you don’t have
that huge backlog that you had the last few times you came in here, I think
with the WEDI study that comes out and then some of the things that were
mentioned that were going on, if that comes out with some kind of an answer,
then I think we might be in good position to really make that much more
streamlined. So I think that would be good.

MR. BEATTY: In a lot of cases where we can’t specify the
relationship of data content, we do, but there are some cases where we can’t
define it, you know. For example, if you have an auto accident, we have
situation

language that requires that you have the state code in which
the state occurred, but if it happened outside the United States – so we
have a lot of those types of semantics where we can, in the implementation.

But again, there are certain cases where you can’t clearly,
black and white, always define the semantics between two different pieces of
information because you may only have an admission data; you may not have the
discharge date yet, so you can’t put it. But it says, if you do admission, you
have to have the discharge date.

But we do have separate places within the guides, so this is
where the admission date goes, this is where the discharge date goes.

DR. COHN: Well, hopefully we will talk more about it in April

MR. BEATTY: Yes.

DR. COHN: — as we move forward. Suzie, did you have a
question?

MS. BURKE-BEBEE: Kind of. After hearing Gary’s presentation and
then reflecting back on the hearings that we’ve had for e-prescribing, it’s
made me think about seeing that we have the same stakeholders. And thinking
process and the speed that we need with e-prescribing, I wondered if the
Subcommittee thought that it would be advantageous to the Department to expand
the MLU beyond

HIPAA, to maybe use the DSMO process for fielding IT comments
during the NPRM process for e-prescribing. Is it a loaded question?

DR. COHN: Yes, I don’t choose to comment on that, but maybe
others on the table would like to make a comment.

MR. BEATTY: I’m not sure I understand the question.

MS. BURKE-BEBEE: I’ll let it rest.

[Laughter.]

DR. COHN: Okay. We can reflect on that, I guess, if we want to
make a comment to the NPRM around all that but I guess I’ll have to think about
it a little bit. I think the rest of the Subcommittee is sort of nodding their
heads that they’re going to have to sort of think about it a little bit, but we
have to talk about it.

Any other comments about that or any other –

MS. GREENBERG: I’m not sure I understood the question.

DR. COHN: The question or the comment?

MS. GREENBERG: Suzie’s question, yes.

MS. BURKE-BEBEE: We’ll talk later.

DR. COHN: Okay. Any other comments? Gary, thank you very much.
I expect we will see you back in April.

MR. BEATTY: Well, you’ll either see me or you’ll see my next
replacement. That will be Todd Omundson, who’s the 2005 Chair. So this kind of
concludes my role as the Chair. I’ll let Todd take over from here.

DR. COHN: Actually, I just want to take this opportunity –
I mean, Gary was telling me that he’s obviously finishing off his Chair of the
DSMOs, and we all really thank you for your service. And then I understand this
is also your end as being Chair of X12 and –

MR. BEATTY: Right.

DR. COHN: — so obviously I’m sure they are very appreciative,
as are we, of your effort and energy and all of this, so thank you.

Okay – well, anyway, we will talk more about this in
April, Gary, with you or your replacement, then. Thank you.

MR. BEATTY: Yes, thank you.

DR. COHN: Stan, do you have any final comments, or otherwise?

DR. HUFF: I don’t. I’ve been listening with interest.

DR. COHN: Okay.

MS. FRIEDMAN: This is Maria. I’m going to be emailing you a
chart about your availability — I’m trying to set up a conference call –
with some times and stuff.

Stan?

DR. HUFF: What’s that?

MS. FRIEDMAN: Stan, yes – it’s Maria. I’m going to be
emailing you a chart. We’re trying to set up a conference call, so I’m going to
go down and do that, so if you look for it, I’ll appreciate it.

DR. HUFF: Okay. Yes, I’m connected real time right now, so I
should get it as quick as you send it.

MS. FRIEDMAN: Great. Thanks.

DR. COHN: Okay. Well, now I’m going to suggest that we take a
10-minute break at this point before we sort of start launching into
e-prescribing. So, we’ll give everybody a 10-minute recess here.

[Break from 9:28 a.m. to 9:50 a.m.]

DR. COHN: Okay, we’re going to get started here. Would
everyone please be seated? Okay.

Now, what we’re going to be doing during this session is
continuing our review of sort of the – I think what has been described as
an early first draft of recommendation letters. Yesterday, we went through for
the first time and began to make comments, both wordsmithing and conceptual,
related to sort of the background information.

Agenda Item: Subcommittee Discussion of
Draft Recommendation Letter

DR. COHN: This morning, there’ll be some

potential draft observations that the Subcommittee should
consider. These, I think, are just, at this point, as I said, early draft, sort
of proposed, subject to significant wordsmithing as well as they may or may not
be the right recommendations, and we sort of need the judgment of the
Subcommittee on that. The other question will be what additional
recommendations we may need to have.

So I’m going to turn it over to Margaret.

Jeff, do you have any comments as we move into these?

MR. BLAIR: The only comments that I might have for the
audience so that you can put these observations and recommendations into
context is, as Simon said, this is really the first time we’re discussing as a
Subcommittee these observations and recommendations, and Margaret and I
prepared a couplet, a pair, and there probably will need to be many more
observations and recommendations.

And for those of you who were not familiar with the initial
set of recommendations in September, we adopted a format which was different
than we’ve done in the past where, in order to deal with the complexity of
issues that we’re addressing in the recommendations, we would wind up having
one or two or three paragraphs describing those set of issues and we called
them an “observation,” and then we would have the recommendations,
one or two or three or four or five recommendations, that would address those
issues in the observation.

So, Margaret’s going to take us through the two that are our
preliminary, initial draft, and what we’d like her to do is take the time to
read through both of them because they’re not totally independent, and then
after she’s read through both of the observations and the associated
recommendations, then go back and we’ll start dealing with them paragraph by
paragraph and sentence by sentence.

MS. AMATAYAKUL: Okay. The first observation deals with a
fairly broad scope topic and the second observation deals with a fairly more
narrow scope.

Observation 1 is entitled “Development and Testing of
Baseline Guidelines for Securing Prescription Transactions over E-Prescribing
Network.”

[Reading] “Many testifiers emphasized to NCVHS how
important it is that e-prescribing be adopted in support of patient safety and
that transactions currently are conducted in compliance with HIPAA security
regulations.

“Today’s e-prescribing transactions are conducted using
several important security features, including credentialing prescribers and
dispensers, trading partner agreements to grant access to the networks, and
security

protocols to provide secure transmission.

“The e-prescribing networks have indicated that they
provide the added value of reformatting a prescriber’s transactions to enable
acceptance by the dispenser system. In addition, the e-prescribing networks
must reconcile NCPDP codes across different versions of standards where
prescribers have used older versions for which there is no backward
compatibility.

“The result of e-prescribing has been improvements in
patient safety through eliminating the need for the dispenser to transcribe
often illegible, handwritten fax or paper prescriptions. In many cases, there
are also additional benefits of medication decision support embedded in
e-prescribing software.

“E-prescribing processes can support return receipts sent
from dispensers to prescribers that also contribute to identification of
potential fraud and abuse should a prescriber receive receipts for
prescriptions not written.

“Recommended Action 1.1. HHS should work with DEA and
State Boards of Pharmacy in establishing baseline guidelines for securing
prescription transactions over e-prescribing networks. These guidelines would
define the processes to be supported for secure, end-to-end transmission of
electronic prescription transactions for

all but Schedule II substances.

“These processes would include, A, credentialing
prescribers and dispensers; B, compliance with HIPAA security requirements,
including those relative to access controls, authentication, data integrity,
audit control and transmission security; C, trading partner agreements to
establish security requirements based on risk analysis; D, requirement for
adoption of a minimum version of NCPDP SCRIPT that would not require NCPDP code
translation and requirement for acknowledgment of receipt return from dispenser
to prescriber that identifies drugs prescribed.

“HHS should clarify that these guidelines only apply to
e-prescribing network transactions using private leased lines or secure
protocols over the Internet. Different guidelines may be needed for other forms
of electronic transmission.

“Recommended Action 1.2. HHS should work with DEA to
support analysis into the potential risk associated with sending prescriptions
for Schedule II controlled substances through an e-prescribing network as
established in the baseline guidelines for securing prescription transactions
over e-prescribing networks.

“Recommended Action 1.3. HHS should include in its
e-prescribing pilot tests the evaluation of the adequacy of the baseline
guidelines for securing prescription transactions over e-prescribing networks
established through Actions 1.1 and 1.2.”

Observation 2 is entitled “Evaluating the Feasibility of
Strengthening Authentication Requirements and Providing Non-Repudiation.”

“Today’s HIPAA security rule requires adoption of unique
user identification for access control, as cited, and procedures to verify that
a person or entity seeking access to electronic protected health information is
the one claimed for person or entity authentication, as cited.

“Within the construct of the risk analysis also required
by HIPAA, as cited, covered entities may select the appropriate level of
authentication. Current security services used for authentication include
personal identification number (PIN), password, telephone call-back procedure,
token, biometric identification, or any of these in combination. The
combination of two measures is referred to as ‘two-tier authentication’.

“Today’s e-prescribing networks assign unique user IDs to
prescribers and dispensers and require a password for log-on to the network.
These authentication measures are bolstered by use of either private leased
lines or security protocols for transmission of prescription transactions
across e-prescribing networks.

“Testifying from chain and community drug stores

reported that no prescriptions were accepted through email
attachment or other non-secure use of the Internet. However, in the future
there may be a reason to use the open Internet to send prescriptions. In this
case, non-repudiation services would be critical. There may also be the need to
enhance the security of prescriptions for Schedule II controlled substances.
Therefore, it is important to begin exploring the feasibility of adopting
public key infrastructure or other form of digital signature to strengthen
authentication and provide non-repudiation.

“Recommended Action 2.1. HHS should conduct pilot tests
to evaluate the feasibility of adopting stronger authentication and
non-repudiation measures such as provided for through PKI. These pilot tests
should be conducted in the general prescribing community and test the ability
to scale adoption of these security services for e-prescribing across
prescribers and dispensers in multiple environments.

“Recommended Action 2.2. HHS should conduct pilot tests
to evaluate whether methods of authentication stronger than those required by
HIPAA – for example, two-tier biometrics – provide sufficient
additional risk protection in relation to cost as to require them for use in
e-prescribing.”

And I just have place holders for others and for privacy.

MR. BLAIR: Maybe we could go back and start beginning with
Observation 1 and start going through that, now that everyone has a feeling for
what’s there as a whole.

MS. AMATAYAKUL: Do you want me to read that again, Jeff?

MR. BLAIR: Yes.

MS. AMATAYAKUL: [Reading] “Observation 1, Development and
Testing of Baseline Guidelines for Securing Prescription Transactions over
E-Prescribing Networks.

“Many testifiers emphasized to NCVHS how important it is
that e-prescribing be adopted in support of patient safety and that
transactions currently are conducted in compliance with HIPAA security
regulations.

“Today’s e-prescribing transactions are conducted using
several important security features, including credentialing prescribers and
dispensers, trading partner agreements to grant access to the networks, and
security protocols to provide secure transmission.

“The e-prescribing networks have indicated that they
provide the added value of reformatting a prescriber’s transactions to enable
acceptance by the dispenser system. In addition, the e-prescribing networks
must reconcile

NCPDP codes across different versions of standards where
prescribers have used older versions for which there is no backward
compatibility.”

I have a question about that. In the NPRM we just saw
yesterday, it actually indicated – Version 5, I think it was – so I’m
not sure that this is any longer needed if all must be at least on 5.

DR. COHN: Say that – okay.

MS. AMATAYAKUL: Well, what we’re trying to do here is build a
case for the networks to be able to go in and reformat or change codes if the
code is an old code. And I’m not sure that’s really needed if the NPRM calls
for Version 5.

DR. COHN: Well, when until tomorrow when you have Version 6 or
Version 7, I presume. I’m not sure if I see any issues with it being up there.
Remember also that, I mean, once again, there’s a separate process with the
NPRM, but the NPRM is only a proposed rule.

MS. AMATAYAKUL: Yes. Okay.

DR. HUFF: Yes, I would agree. I think it’s good to leave this
in because even though you’re requiring it, I think there are nuances of coding
and other things that you want to have the ability to fix, because otherwise
you’re implying that everybody can in a flash, you know, or a big bang sort of
event, change from one version to the next.

And so I think this is much better, to keep it in.

MS. AMATAYAKUL: Okay.

MR. REYNOLDS: Margaret, is the word there “backward”
or “forward?” Usually when you’re using an older version, you have
trouble translating it forward versus if you have a new version, you have to do
it backwards. Or if you’re in the middle, you go either way.

[Laughter.]

MR. REYNOLDS: And that could happen, too, but I’m struggling
with “backward.”

DR. COHN: Do any of our people here have comments on this one?

DR. FITZMAURICE: Harry, usually the frame of reference is from
the new standard, that that’s where you’re planting your feet, is in the new
standard, because that’s the one you’re working on and the one you can change.
You can change the old standard; then it becomes the new standard. So is the
new standard backwards compatible, there being nothing to be forward compatible
with, so you plant your feet on the new standard.

MR. REYNOLDS: I understand that, but it talks about old
versions that go backwards.

MR. BLAIR: Would it be just easy to wind up saying
“backward/forward” so either way, the translation takes place, it can
be done?

MR. REYNOLDS: Were you going to comment?

MR. BROOK: Yes, Richard Brook from ProxyMed. The word
“reconcile” – we really look at translation and mapping versus
reconcile, because that’s what we’re doing. I don’t believe it’s really
reconciling. We’re doing those things. Thank you.

DR. COHN: Yes, Marjorie?

MS. GREENBERG: Well, I could start at the beginning here with
this observation. This is basically about security, this one and the next one,
and except for a description down at the end of that observation about why it
increases patient safety, there’s nothing else said about patient safety and
there’s nothing in the recommendations, I don’t think, specifically about
patient safety except good security would contribute to patient safety.

So we seem to be kind of dealing with two different things
here, and particularly that first sentence, I don’t know whether it’s saying
that many testifiers emphasized to NCVHS how important it is that transactions
currently are conducted in compliance with HIPAA security regulations or
whether it’s saying they testified how important it is that e-prescribing be
adopted in support of patient safety and they also testified that electronic
transactions currently are conducted in

compliance.

So it seems like it’s sort of apples and oranges here. We got
two different things there.

So this is all about security; I mean, the business about
patient safety maybe belongs up above and this, it’s all about security. But in
any event, there has to be two sentences because it really wasn’t clear to me
what was being said.

MS. BURKE-BEBEE: Can we make the font bigger?

MS. GREENBERG: That would also be nice. [Laughs.]

DR. COHN: Yes, Margaret, I’ve been sort of bothered by the
first sentence; actually, even a little bit beyond that only because I tend to
think of observations as a place where we are making observations as opposed to
reporting on testimony.

MS. GREENBERG: Right. If reporting on testimony was above this

DR. COHN: Yes, and then we’re still seemingly the –

MS. GREENBERG: That’s why I suggested at least the whole issue
of patient safety being moved up.

DR. COHN: Yes, moved up or maybe a little more mom and apple
pie sort of allusion to the value of e-prescribing, which may or may not be
appropriate in this

observation.

MS. GREENBERG: Appropriate to the letter, I think.

DR. COHN: Yes. I think it is mentioned earlier in the letter.

MS. AMATAYAKUL: So you’re saying take this first sentence out;
it’s not needed?

DR. COHN: Yes – well, or putting it somewhere else. I
think we were all sort of saying that we couldn’t figure out why patient safety
was being invoked necessarily in this observation –

MS. GREENBERG: Right.

DR. COHN: — I think is what –

MS. GREENBERG: And I really didn’t know whether they were
saying that people had said it’s important that these sort of transactions are
conducted in compliance with HIPAA security regulations or whether it was a
fact that they are, or you were observing that they were.

And I think it needs to say: “Many testifiers emphasize
that electronic transactions,” because otherwise it could be that they’re
talking about the paper transactions – e-prescribing transactions.

MR. BLAIR: I think it’s correct that we did receive testimony
on that.

DR. COHN: Yes.

MS. AMATAYAKUL: What did you all say?

MR. BLAIR: Oh, we’re muttering here. Should I get some
coherence to our muttering?

[Laughter.]

MR. BLAIR: We did receive testimony from a number of folks
saying that they felt that the e-prescribing transactions should comply with
the HIPAA security regulations. So I would think it’s appropriate to have that
somewhere in this first observation, but I don’t have strong feelings about it
and so –

MS. AMATAYAKUL: I think the point that we were trying to make
here is that today the networks are following what’s required by HIPAA and that
to require more than what’s required by HIPAA, such as two-tier authentication
or biometrics or PKI, would be over and above what HIPAA requires.

So the point is trying to be made that they are in fact
compliant with HIPAA today and explain how they are and why they’re value
added, and then go on to say that everybody should comply with these
guidelines.

So then, Recommended Action 1.1. is:

[Reading] “HHS should work with DEA and State Boards of
Pharmacy in establishing baseline guidelines for securing prescription
transactions over e-prescribing networks. These guidelines would define the
processes to

be supported for secure, end-to-end transmission of electronic
prescription transactions for all but Schedule II substances.”

DR. COHN: Could I make a comment there? And I’m not sure if I
know how to wordsmith this one, and I know what you’re saying – we were
saying non-controlled substances and Schedule III, IV and V, though the way
you’re saying this to the person who is not aware of how all of this is
constructed is a little subtle, maybe is the term here. And once again, I look
to you to wordsmith exactly how we might want to wordsmith that.

MR. BLAIR: Are you saying we need more detail or –

DR. COHN: Oh, I think it just needs to be saying it clearly,
and I think Margaret is at least trying to at least put a place holder up
there. I think that we’re just sort of saying, I mean, something that we
understand, but it would certainly not be necessarily obvious to someone who
was not a prescriber, and how all of this plays together.

MS. GREENBERG: The background above explains it better.

DR. COHN: Well, I think it does, but once again I’m not
assuming that the people who are reading this are necessarily all experts in
the art.

MR. BLAIR: Is there a particular word or phrase in there that
leaves you with an ambiguous feeling? Where is the area in there that –

DR. COHN: Well, I think Margaret has already –

MR. BLAIR: Oh, she’s got it, okay.

DR. COHN: Margaret, do you want to –

MS. AMATAYAKUL: Let me read this sentence:

“These guidelines would define the processes to be
supported for secure end-to-end transmission of electronic prescription
transactions for all Schedule III through V controlled substances and
non-controlled substances but not for Schedule II controlled substances.”

MS. GREENBERG: I would just reverse that. I’d say “for all
non-controlled substances and Schedule III through V controlled
substances.”

DR. COHN: Yes. I think we may even have further suggestions
here – please.

MR. BIZZARO: Tom Bizzaro, First DataBank. I wonder if the
Committee wants to limit to just those controlled substances in Schedules III
to V. And understanding that we do see different scope here where III to V has
a certain level of security that you would demand, I’m wondering here, though,
in a suggestion, that you don’t want to exclude Schedule II because what I
would like to see at some point in time is that all prescriptions can be
prescribed electronically as long as the security is sufficient to protect
against abuse.

So I’d like to broaden this a little bit, and again, I
understand that Schedule IIs are probably an area that we could keep separate
because they are the most abused products and they do have a smaller impact
than the III to V.

DR. COHN: Jeff, I think you wanted to comment?

MR. BLAIR: Yes. Tom, I think that’s a good point, and the
reason that we yanked Schedule II out was we felt that there might be different
criteria required for that and we didn’t want to burden the guidelines of
everything else based on what was necessary for Schedule II.

However, maybe if we added a separate sentence indicating that
separate criteria for Schedule II should also be considered but consider those
guidelines separately so that they don’t set the bar for everything else. Tom,
would that address your concern?

MR. BIZZARO: It does. That makes perfect sense because there
are different levels of security that you would expect for Schedule IIs.

DR. COHN: Yes.

MS. AMATAYAKUL: Could I ask for clarification? So what you’re
suggesting is that the recommendation in

1.2, should that be moved up to here, to 1.1?

MR. BLAIR: I don’t remember what 1.2 is.

MS. AMATAYAKUL: 1.2 is “HHS should work with DEA to
support analysis into the potential risk associated with sending prescriptions
for Schedule II controlled substances through an e-prescribing network as
established in the baseline guidelines for securing prescription transactions
over e-prescribing networks.”

MR. BLAIR: Oh, I forgot that that was there. Tom, does not that
address your concern?

MR. BIZZARO: It does, and it may be that it is the positioning
of it, Margaret, because I’m like Jeff; I just kind of forgot that was there,
because I look at it as saying, okay, they’re not going to consider Schedule
IIs. And then when we go into the second recommended action, you do.

So it probably was my observation of the first recommendation
in isolation.

MS. AMATAYAKUL: Should I say up here maybe, “see also
Action 1.2?” Would that help?

DR. COHN: Why don’t you put in parentheses some potential sort
of wordsmithing? I think to me the question is do we want to say “See also
Recommended Action 1.2” or do we want to say – I mean, my own view is
that we seek the day where all controlled and non-controlled substances can

be easily transmitted as e-prescribing but realizing that the
work for Schedule II is somewhat different. But a change something like that
really breaks up the train of thought on 1.1.

MR. BIZZARO: To me, it’s just the “but not for Schedule II
controlled substances.” I think it you’re going to talk about III to V,
you can talk III to V, and if you remove that and the next recommendation does
look at Schedule II –

DR. COHN: Well, that may be a very simple solution. Go ahead.

Other comments, please? Yes, Eleni, we’ll get you next.

MR. WHITTEMORE: Yes – good morning. Ken Whittemore from
SureScripts. I’m a little concerned about mixing non-controlled with controlled
here, and my line of thinking is that I don’t believe controlled non-controlled
prescriptions is the DEA’s role.

So having, say, the HHS should work with DEA and State Boards
of Pharmacy could be problematic. And the reason I say that is the DEA has
already expressed a strong preference for the PKI and digital signatures. If
that were to, by a collaboration like this, become something that was required
for non-controlled substances, that would cause us in the industry a lot of
problems.

DR. COHN: Okay – so let me just re-describe this, and then
maybe we’ll ask Eleni for comment and then we’ll ask from Maria, but I think
what you’re suggesting is that we talk very specifically in this action
recommendation about Schedule III through V and that maybe we have a different
recommendation that addresses non-controlled?

MR. WHITTEMORE: That would be my recommendation, yes.

DR. COHN: Okay. Eleni, are you going to comment on the same
thing?

MS. ANAGNOSTIADIS: Basically. I echo Ken’s comments because the
DEA really has no authority over non-controlled substances and it could muddy
the waters. If they haven’t come out with a position, we don’t know what
direction they’re going to take.

So my recommendation is perhaps to leave the top with
non-controlled substances and then perhaps pull the Schedules III through V
into Recommended Action 1.2 below and maybe have a separate sentence for
Schedules III through V and then a separate sentence referring to the Schedule
II prescriptions.

DR. COHN: Yes, or maybe these are three separate action items.

MS. ANAGNOSTIADIS: It could be, it could be.

DR. COHN: Yes, okay. I want you to stay here for just a minute
or two more while we continue the conversation. Maria, did you have a comment
on this?

MS. FRIEDMAN: I actually had a couple of comments. If we do
what she suggested and pull all the Schedule stuff down, then it should be then
“HHS should work with the State Boards of Pharmacy in establishing
baseline –”

I’m having re-entry problems this morning, but I’m kind of
confused as to what these baseline guidelines are. What are they – model
language? Is it a list, “Thou shalt,” “Thou shalt not”
– is it — I understand what we’re trying to do maybe, but I’m not sure
what the guidelines really area.

MS. AMATAYAKUL: I think the intent here was that we heard that
for the most part the networks do things like credential prescribers and
dispensers and they have to comply with HIPAA and so forth and so on, all of
these five things here, but that they may not all do them all, and so we kind
of wanted to bring everybody to a baseline of certain activity.

DR. COHN: Okay, and –

MS. FRIEDMAN: I mean, thinking about the process, normally we
don’t do anything unless it’s rule-making, so my question is: Is this model
language, you

know? And then it gets into a whole process and morass about
who updates it and who’s in charge of it and all these other things.

DR. COHN: Okay, let’s try to divide this into three – I
mean, we’re having two conversations here; I’m a little concerned. Lori, are
you talking on this issue or a different –

MS. REED-FOURQUET: Yes, just briefly on this issue, and I think
we may be coming to that. Lori Fourquet, ASTM.

But the controlled substances – and she just took away the
III through V – seems that it should say II through V. Even though we do
want to ultimately look at them, I would point out that there’s certainly
significant abuse, other controlled substances such as Xanax, which is a
Schedule IV substance, and so there are other considerations and it should
certainly assure security requirements for III through V as well as II.

DR. COHN: Okay, thank you for your comment.

Let me just sort of ask, and try to go through this in some
sort of a fashion, and I think there’s sort of two sets of questions. One is,
what sort of buckets we’re talking about, and then the next question is, which
is, I think, Maria’s question, which is: What in the heck do we mean by
“baseline guidelines for securing prescription transactions” and what
do we really mean by that, in a way that it’s –

MS. FRIEDMAN: And how would it kind of work?

DR. COHN: I guess I would look at Subcommittee members –
we’ve talked before about the three different buckets. Are we comfortable with
moving forward with three different buckets? So we’re talking about effectively
three different recommendations, and Margaret may put them together in
subheadings of whatever.

MS. ECKERT: Karen Eckert from Medi-Span. I thought yesterday
when we talked about this, what we were recommending was that Schedule IIIs and
Vs would be treated with the same level of security as the non-controlled. I
mean, that was the recommendation I thought we wanted to take back to DEA
– not to have three different levels of security but III through Vs and
non-Scheduleds and then Schedule IIs as possibly being something a little more
strict. And if you’re putting them into three buckets, I think you may be
losing some of that.

That was my observation from yesterday, but I think we’ve lost
that point.

MR. BLAIR: Could I –

DR. COHN: Jeff?

MR. BLAIR: — relate to that? I think we’re struggling here, so
if I articulate what I think the struggle is, then maybe somebody could come up
with a good way for us to resolve it.

It sounds to me like one of the problems we’re trying to avoid
is a fragmentation where prescribers have to use different methods for
different levels of these, you know, Schedule II, III, IV, V, and others that
are uncontrolled substances. So we don’t want to impose this fragmentation.

On the other hand, we also don’t want to impose having
everybody adhere to the most strict guidelines of security like Schedule II.

So how do we wind up constructing guidelines or recommendations
that will apply appropriate levels of authentication and non-repudiation –
well, I don’t want to maybe go that far – these guidelines, without
imposing things unnecessarily and fragmenting them?

DR. HUFF: This is Stan. Even though our recommendation would be
that the Schedule III through V follow the same pattern, since the DEA does
control that, I think there has to be the recommendation that there be
discussions with the DEA or get approval from the DEA to do that. So I think
that’s the reason I would favor breaking it out, even though our proposal would
be that it follow the same path as non-controlled substances.

DR. COHN: Well said, Stan, and Harry’s going to

comment also. But I think that what Jeff said somehow needs to
be incorporated in here, and maybe Harry has some wording. But I think we do
need to say that issue, about lack of fragmentation, because we’re sort of
saying that but not directly saying it, and I think that’s a very key issue
here. Harry?

MR. REYNOLDS: I think we’re all in violent agreement.

[Laughter.]

MR. REYNOLDS: Let me try to structure it maybe a little
differently.

Our observation is that we heard that there are clear current
ways of securing e-prescribing work, the multi-tier and everything that they’re
doing.

Second, we know that there are three distinct categories of
drugs. Buckets – we use buckets, just to use our example.

We talked about making three recommendations. Recommendation 1
would be for non-controlled, Recommendation 2 for III through V and
Recommendation 3 for II.

The first one obviously – we would like at leas the first
two recommendations, which handle the majority of the drugs and even though the
second one is controlled, to have somewhat similar structures in their
security, with

Schedule IIs obviously needing maybe a further step, but also
recommend that as the DEA looks specifically at Recommendations II and III,
incorporate those with 1 because overall implementation usability is really
what’s going to decide the success or non-success of whether this thing really
gets traction in all arenas. That’s a thought, and a suggestion.

DR. COHN: Yes. Margaret, do you want to read what you wrote up
here or is that –

MS. AMATAYAKUL: Okay. So I’ve got four.

[Reading] “Recommended Action 1.1. HHS should work with
State Boards of Pharmacy in establishing baseline guidelines for securing
prescription transactions over e-prescribing networks. These guidelines would
define the processes to be supported for secure end-to-end transmission of
electronic prescription transactions for all non-controlled substances. These
processes would include” – and that’s the same stuff.

Action 1.2 would be:

“HHS should seek acceptance from DEA for adopting baseline
guidelines for securing prescription actions over e-prescribing networks for
Schedule III through V controlled substances.”

And Action 1.3:

“HHS should work with DEA and State Boards of

Pharmacy relative to supporting analysis into the potential
risk associated with sending prescriptions for Schedule II controlled
substances through an e-prescribing network as established in the baseline
guidelines.”

MR. BLAIR: Could I add one piece to that?

MS. AMATAYAKUL: Yes.

MR. BLAIR: I think you solved one part of our dilemma by
breaking them into three, and that’s probably fine. Maybe we need to add one
other statement to create the balance, and the additional statement is that as
HHS works with DEA and the State Boards of Pharmacy to accomplish
Recommendations 1.1, 1.2 and 1.3, they should attempt to come up with
guidelines that will minimize or avoid an impact on the users, the prescribers,
so that they don’t have to use completely different processes for each of
these.

MS. FRIEDMAN: I’m still having problems trying to conceptualize
all this. Are we trying to look, in the end, at having an end product or an end
result, something what NIST put out, kind of like a document with guidelines
that lay this all – I’m just having trouble getting my head around it.

MR. BLAIR: Well, I don’t think we have the solution at this
point. We’re really asking —

DR. COHN: Yes – let’s be sure we have the right

buckets, and then let’s figure out – what I’m trying to do
is to divide this issue because I think we need to get back and look a little
harder at the key piece here, what it is that we’re talking about. But, Harry,
does this sort of go along with what you’re saying?

MR. REYNOLDS: Yes, I think it does. I think after we make the
first recommendation, we need to maybe reference it in 1.2, whether or not
those could be considered in a similar way as whatever comes up in
Recommendation 1.1.

MS. AMATAYAKUL: Could you say that again? I’m sorry.

MR. REYNOLDS: We have had our discussions that basically we
feel that non-controlled and III through V could be handled in a similar way
and are in fact being handled similarly now, is that correct? So that’s what I
think we’ve heard.

So 1.1, I’m fine with. 1.2 says you should seek acceptance from
DEA for adopting baseline guidelines possibly based on the same premise in
Recommendation 1.1.

DR. COHN: Yes. Eleni?

MS. ANAGNOSTIADIS: Eleni from NABP. Just one point that I want
to make under Recommendation 1.1, where we talk about the State Boards of
Pharmacy establishing the baseline guidelines.

I think that whether it’s inferred, we need to state that the
State Boards will work with the DEA because I think if the DEA works in a
vacuum and the State Boards are working in a vacuum on this, there’s not going
to be the communication for the DEA to understand maybe what the thought
processes are, and how do we want to mesh at least having involvement from the
DEA as the State Boards develop those baseline guidelines.

DR. COHN: Okay. Is that 1.1 or 1.2?

MS. ANAGNOSTIADIS: Well, 1.1 said “HHS should work with
the State Boards,” so it looks as if the State Boards are going to
establish the baseline guidelines. And would the DEA be more willing to accept
those guidelines for Schedules III through V if they’re involved in the
process?

MS. AMATAYAKUL: Maybe that should be a separate recommendation,
and that’s the bucket.

DR. COHN: Maybe Steve has a –

MR. STEINDEL: I don’t know if I’m going to clarify things or
muddy the water, but I’m starting to have the same problem that Maria’s having
of –

MS. FRIEDMAN: What are we doing?

MR. STEINDEL: Yes, what are we putting together in 1.1? 1.1 is
partially the key of how this is going to come together. And the thing is, I
think we’re being very

prescriptive about what’s happening here. “HHS should work
with the State Boards of Pharmacy in establishing baseline guidelines for
securing prescription transaction over e-prescribing networks.”

You know, I don’t know what form this is going to take. I don’t
know what it’s going to be used for, or how it’s going to be instantiated. And
probably we should say something like “HHS should initiate a process that
works with industry, the State Boards of Pharmacy, the DEA to develop baseline
guidelines to secure –” so it’s a little bit more ambiguous and the
process itself can define the end product.

And one thing that it says here is when we’re working with the
State Boards of Pharmacy, I have this picture, if we read it very strictly, HHS
now has to work with all of the State Boards of Pharmacy individually, whereas
if we say it’s initiating a process, then we can probably like work with your
organization to develop it, and we have a little bit more flexibility.

MS. FRIEDMAN: Sounds like we’re established a commission.

MR. STEINDEL: Basically, yes. I mean, that’s basically what
we’re – because we haven’t heard from the industry what these are, so
somehow they have to be put down. We’ve heard that there’s a set that does
exist but

it’s not exactly the same in each one of them. This may occur
very quickly, but I think we need to describe more of a process than an actual
thing.

MS. FRIEDMAN: I agree with Steve. You’re getting me. You’re
addressing a lot of my issues. But I still have –

MR. STEINDEL: You mean I got closer? Good. [Laughs.]

MS. FRIEDMAN: We’re closer, but I’m not there yet.

DR. COHN: Okay, well – Marjorie?

MS. GREENBERG: Yes, I guess Maria definitely got us into the
forest rather than the trees here and now I’m finding myself a bit confused as
well. I don’t have the actual letter, so it’s hard for me to remember what was
– but I think the title of this whole thing is “e-Signature,” am
I correct? Electronic signature.

SEVERAL PARTICIPANTS: Observation.

MS. GREENBERG: Okay, so —

MR. BLAIR: This Observation 1 is the establishment of the base
guidelines.

MS. GREENBERG: Well, but the big heading is “Electronic
Signature Observations and Recommended Actions.”

MR. BLAIR: Yes.

MS. GREENBERG: So we know that electronic signature was
supposed to be one of the standards under HIPAA that got deferred, and so I
don’t know how much of this is actually recommending a process to get to an
NPRM and a regulation on electronic signature or whether – I mean, because
this is called an electronic signature observation – or whether in fact
this is something in lieu of ever doing the regulation on electronic signature,
how this differs from the security rule. So I guess I’m back to basics here,
too, and Maria’s answer is shaking her head up and down –

MS. FRIEDMAN: Yes.

MS. GREENBERG: — yes.

MR. BLAIR: I don’t know that anybody knows the answer to that
question yet. I mean, we do need some guidelines here. Whether those guidelines
will be to the point where you’d want to an NPRM, I don’t know, but I think the
industry needs some type of guidelines and I think Steve’s words of beginning
the process maybe starts to get us down that path so we have some progress.

MS. GREENBERG: Well, then we need to be, I think, explicit
about that. This may lead to rule-making –

MR. BLAIR: Okay.

MS. GREENBERG: — on electronic signature or it might be –
I don’t know. I mean, I’m not getting any clarity as to what our
recommendations are on electronic signature from this.

DR. COHN: Phil, maybe you can help us out of this morass.

MR. ROTHERMICH: Phil Rothermich with Express-Scripts. I guess
I’m with Maria; I’m sort of scratching my head on what the difference between a
proposed baseline guideline is compared to a proposed standard. And if the
problem is that there isn’t enough industry consensus on what the floor should
be, then maybe the recommendation to HHS is pick a floor and propose it as a
rule and pilot it and test whether it adequately secures the system.

My concern about using a term like “baseline
guideline,” particularly in the context of working with the states, is it
suggests that then everyone will tinker with it and we’d have a whole bunch of
different ways of doing things as opposed to pick a floor, get everybody to
agree to it, and call it standard.

And I don’t know how we get from here to there, but it’s just
an observation.

MR. BLAIR: The perception that I have is that we’re nowhere
close to the point where the industry or DEA or HHS could pull together a
consensus on what a standard should be for these areas and that what we’re
trying to do is saying how do we make a forward step to try to move

everyone towards consensus?

And so we thought the lowest level we could start with is
baseline guidelines and that as there’s more experience in the industry,
probably through the pilot tests, maybe over time we might someday get to a
point where we could all agree to standards on this but we’re not close to a
consensus on what those standards should be.

So, anyway, that’s – I hear Steve reacting, so he may have
an opinion.

MR. STEINDEL: Yes, I have a general reaction, specific one, to
several of the comments that were just made.

HHS went though the same process and the same thought process
with regard to the security rule, and they decided that they can’t do this, and
they just put in the security rule: This is up to your individual requirements.
Do a risk assessment and figure out what you need to do within your own
environment to secure the health care information.

And we’re trying to be prescriptive in an area where HHS has
already made the statement that they’re not going to be prescriptive, and I’m
wondering if we should just back off from all this and just say that, that this
should be handled the same way as it’s being handled in the security rule and
that the e-prescribing networks should do

a risk assessment and define the way they are going to secure
their information and HHS, in evaluating it like they do with the security
rule, you know, when something comes up, they will beg the judgment as to
whether it’s correct or and they could issue FAQs like they do with the
security rule about what they consider to be appropriate.

And then, as a separate recommendation, then there needs to be
something established with the DEA because they’re going to do something
specific, but that’s in controlled substances.

And I really have a little bit of a problem where we’re talking
about three bins. There’s two bins. There’s non-controlled substances and
there’s controlled substances. And then there’s two cases in controlled
substances.

DR. COHN: Well, okay, so there are two big bins with one bin
having two compartments.

MR. STEINDEL: One with two compartments. And no, no, the
important thing there is, Simon, what I would like to push for is I would like
to push for controlled substances to be treated the same way as non-controlled
substances and not differentiate out the control, too, that this system be
secure enough and make DEA happy enough that e-prescribing is e-prescribing and
it’s irrelevant what type of substance it is.

But I don’t think that’s going to happen; I agree. Someone in
the back just made that comment. But I think we should go in with the open
position that we’re looking for all the same and bargain for putting Schedule
IIs as separate.

DR. HUFF: So – Simon?

DR. COHN: Yes, Stan.

DR. HUFF: Can I make a comment?

DR. COHN: Oh, please. Please.

DR. HUFF: Was that a yes?

DR. COHN: That was a yes.

[Laughter.]

DR. HUFF: Sorry, they cut off your response.

You know, I think Steve’s headed in a good direction, but it
seems to me that while we for sure don’t want to specify particular
technologies, it would be good to give some guidance further, more guidance
than just saying “do what you think is right.”

So, I mean, I think what we would like to do is be able to say
something like “individuals should be credentialed” and without
getting into the micro-steps of how credentialing might work, there would be
something that said it, you know, that there should be credentialing and that
the transactions should go over a secure network and say that two things that
are in use now are VPN and something else but you can use something else if
it’s as good or better than that.

And I’d go through each of the areas and make some
recommendations about what we think the functional, if you will, the
requirements are and technically how you meet those requirements.

I agree we don’t want to specify that because there will
probably be better solutions soon and we don’t want to prevent people from
using better solutions that are accomplishing the same goal, but I don’t think
it helps to just sort of be silent or just say “do what you think is
right.”

The second thing, it seems to me, is that it’s important to say
what we want this to be. If we actually want it to be a standard, then I would
propose that you move it out to one of the standards bodies and let them
produce a standard.

I guess in my own mind I’m thinking that really this should be
directed at creating a rule or regulation so that it would be a suggestion for
the creation of an NPRM around electronic signatures and e-prescribing.

DR. COHN: Maybe I’ll make a comment and then I know Michael
wants to make a comment.

I guess I’m sitting here as you’re talking, looking at Action
1.1, and of course, I mean, we’re still

sort of obviously all struggling with what this thing is. But
of course, one would observe that the things at least in this draft
recommendation are really all things that are already talked about in the
security rule.

SEVERAL PARTICIPANTS: Right.

DR. COHN: And so now the way it’s written here, somehow it
almost looks like – well, some of it security and some of it is things
beyond that, but I think most of these things are things that are inherent in
the security rule. And so these become sort of examples of things being
consistent with the security rule and a risk analysis. And, of course, these
are sort of good practices, which I think is what I’m hearing here.

Now, I guess, given, I think, as Steve has commented, that the
industry has not been particularly successful yet in coming up with a standard
on this thing, I don’t know what the value of sending this off to a standards
development organization is.

I’m going to let Mike make a comment. I guess I do think that
we’re all sort of in violent agreement that at the end of the day, what we’re
trying to do is to get to a set of recommendations that say, number one,
current approaches appear to be satisfactory in terms of security; we’d like to
see III through V; we realize that the controlled substances are separate
– we’d like to see, I

think, at the end of the day, all controlled substances handled
in a uniform fashion with non-controlled substances — however, we do realize
that Schedule II drugs are really a very different thing, require more
analysis, and may really require a different approach or special handling, but
we’d like to see III through Vs handled in the same way.

And I think somehow, in all this verbiage, I think we need to
not lose sight of where we’re trying to go. And actually, I should ask the
Subcommittee: Am I saying what you all think at this point?

MR. BLAIR: Could I comment on what –

DR. COHN: Well, you do, and then maybe Michael. I’m just
looking at the Subcommittee – Stan, are you fundamentally in agreement
with what I was saying?

DR. HUFF: I am, yes.

DR. COHN: Okay, I just wanted to make sure that we were. I
mean, if we’re not even in agreement generally, we’re in big trouble at this
point, this conversation. Jeff?

MR. BLAIR: Let me paraphrase, see if I am in convergence.
Number one, I think we are driving towards the best we could have in place to
help with the pilot tests and after the pilot tests, and I think that it’s
unrealistic to expect that we’re going to be able to come up with a standard in
this area that the industry will come to consensus on in that time frame.

So the idea of setting a direction here for folks to work
together to come up with at least some kind of basic principles or guidelines
during this next year that could be applied in the pilot tests, I think that
that’s what we’re trying to do. And is that what you were trying to say?

DR. COHN: No. I actually don’t think that this is a pilot test
issue that we’re talking about. I think that there’s a lot of e-prescribing
that is occurring now; there will be a lot of e-prescribing in 2006 that occurs
without pilots. And I think what we were hearing, and I think what I’m
responding to, is concern that with all of the e-prescribing pilots, with all
e-prescribing, period, security is obviously in place and we need to start
working on the DEA issues is what I’m trying to say.

Jeff, is that in divergence from you?

MR. BLAIR: Just to go down that path, that’s okay.

DR. COHN: Yes. And that’s all I’m trying to say here. So, Jeff,
are you concerned? Ask Michael to comment? I can ask Michael to comment.

MR. BLAIR: The point is, I think, everybody else seems to feel
like that’s the most practical path, so go

ahead – go forward.

DR. COHN: Yes. Michael, do you have a comment?

DR. FITZMAURICE: No, you’ve just said it, essentially: Let’s
look to the security rule and things that are reasonable and addressable and
let DEA do what’s required. The accreditation of professionals seems to be
something that DEA would address in what they do.

And as I talk to the current network providers around the room,
they seem to have it well in hand. They don’t report any tap-ins and any
egregious violations. So what they have is working. So I would give them room
to work and to come up with any additional things beyond the security rule that
they would want to do, and there’s time for that.

I agree with everything you said, Simon, and I support what
Steve said. I like Stan’s addition of the accreditation.

DR. COHN: Maria?

MS. FRIEDMAN: If we were looking for the floor, I think the
security rule is probably it.

SEVERAL PARTICIPANTS: Yes.

DR. COHN: Margaret?

MS. AMATAYAKUL: Could I ask a question? I’m hearing two
separate things.

I’m hearing that we’ve got three buckets, however

that should be arranged, and we’d like to bring them all
together. I’m comfortable with trying to work on that aspect of it.

What I’m hearing, though, separately is, what is this – is
it a standard, is it a rule, is it guidelines, is it no statement at all, just
go forward with HIPAA? And that’s not clear to me, what direction you all are
taking. If you could sort of put of rest the three buckets because I think I’m
hearing agreement on that. I’m not hearing agreement on rule, standard,
guidelines, et cetera.

MS. FRIEDMAN: I think you have it backwards. I think we need to
figure out kind of where we’re going, because then the buckets will sort
themselves naturally there.

MR. BLAIR: I’m confused!

DR. COHN: Okay. Well, I’m going to look at Eleni a little bit
on this one just to see how far off we are.

Let me just make a proposed – once again, a straw
man/straw person comment here. I mean, number one is I think we’re saying that
the security rule is a very good rule; it obviously includes a lot of risk
analysis that every organization who’s a covered entity needs to be involved
in, and it’s working. And we certainly think that that covers non-controlled
substances.

We believe that there’s an area of – maybe not the term
“ambiguity,” but there’s an area that relates to controlled
substances where there needs to be conversations between HHS, State Boards of
Pharmacy and DEA to resolve how to best handle the issues of e-signature and
other security issues relating to controlled substances. We urge that the
outcome of the discussions relating to Schedule III through V be consistent
with policies and processes in place for non-controlled substances and we
recognize that Schedule II will require further investigation.

And I’m going to sort of stop there.

MR. BLAIR: Can I add just one piece to that?

DR. COHN: Sure.

MR. BLAIR: And that is, you’re saying this in the context right
now of the e-prescribing networks and what we need that will work within the
e-prescribing networks now.

DR. COHN: Right. This is Recommendation 1, as opposed –

MR. BLAIR: Right.

DR. COHN: — to further work –

MR. BLAIR: Exactly.

DR. COHN: — to deal with PKI and sort of continues the idea
that Schedule II needs further research and evaluation.

But I think what I’m trying to say is just sort of the obvious,
because I think in all these guidelines and all that we sort of have gotten
ourselves confused. Margaret?

MS. AMATAYAKUL: So that really the first Recommended Action
relative to let’s just leave HIPAA for the non-controlled substances is not
really a recommendation directed to HHS but already is in place. So what I’m
stumbling is we usually have been putting HHS to do something.

DR. COHN: That’s a good question. Maybe it’s an observation.
But once again I would ask the Subcommittee members, because I may be going too
far on all of this, but I think we all keep coming back again and again to the
need for a good risk assessment following the guidelines from the security rule
that seem to have held up pretty well.

And so that’s an observation that works. I think maybe this
isn’t an action but that HHS accept that as appropriate for e-prescribing of
non-controlled substances. Jeff?

MR. BLAIR: Yes. I think the importance of what Simon is saying
– and let’s see if I’m right this time – is HHS needs to get some
agreement from DEA and the Boards of Pharmacies across the land that when we’re
dealing with Schedules III, IV and V that that could be used over e-

prescribing networks today without PKI. And I think there needs
to be some agreement with that because that’s an area of ambiguity and it needs
to be cleared up and we’re saying that the baseline guidelines need to be
agreed for that, and that that is Observation number one. Is that correct?

Did I go too far? Too deep?

DR. COHN: I don’t think we’re really into that. I think you’re
moving into the answer and I think we’re trying to talk about the –

MR. BLAIR: Process.

DR. COHN: Yes, and Margaret, I think, is getting close; I
don’t know if it’s all the same recommendations, but I mean we can play with
that. But she has sort of HHS should accept that HIPAA provide satisfactory
protection for non-controlled substances. And that may not be exactly what we
want to say, but that sort of is along the – except for the security rule.

MS. AMATAYAKUL: Yes, I’ll embellish –

MR. BLAIR: Yes.

MS. AMATAYAKUL: — for now. [Laughs.]

DR. COHN: And I guess what I was sort of proposing, that HHS
should seek agreement from DEA that III through V should follow the HIPAA
– I guess I think there’s a piece that I – maybe it’s sort of
beginning to agree with Steve, the big bucket with two sub-buckets or whatever.

But I think there’s one, that HHS should begin to work with DEA
and, Eleni, I think my view is that they have to work with State Boards of
Pharmacy to get this all to work at the end related to controlled substances.
Am I right?

MS. ANAGNOSTIADIS: Right. And I think the point that you might
want to make, and I may be muddying the waters and I apologize if I am, is that
in the end, I mean, pie in the sky, if we had our way, it would be nice for all
prescriptions to follow the same system. The State Boards of Pharmacy are
concerned about each and every prescription coming through and to be sure that
there’s a secure transmission. Most boards agree that an electronic signature
is sufficient.

But you may want to say something like ultimately it would be
nice for all of them to follow the HIPAA standards and have basically one
system in place, with a caveat that the DEA may have further requirements for
the controlled substances, Schedule IIs or something.

DR. COHN: Okay. I mean, I will apologize, but I lost you a
little bit, but are you referencing primarily Action 1.1 up there –

MS. ANAGNOSTIADIS: Right.

DR. COHN: — relation to non-controlled substances, or
something else?

MS. ANAGNOSTIADIS: And maybe it’s just an

overall general observation that it’s important for the
security of all prescriptions to be transmitted following HIPAA regulations.
And then put something in there that – “however, the DEA may feel
that there are additional security measures that need to be taken with
controlled substances.” Or you could even just say “C2s.” I
mean, you know, we can’t speak for them.

I just think the point is that we want to make sure that all
the prescriptions coming through are secure.

DR. COHN: Okay.

MS. ANAGNOSTIADIS: And then, the procedures that are in place
now may be working. I mean, maybe we should talk to the network vendors and see
– you know, they say that they haven’t had like any hacking into their
systems in the number of prescriptions that they’re working on. So maybe that’s
sufficient — they’re following HIPAA standards. Is the DEA comfortable with
what’s going on in the marketplace today?

MR. STEINDEL: I mean, this is the approach that I’m looking at
as well, and we should put this out as a straw man to DEA: HIPAA seems to be
working within the community that is now using it for relatively sensitive
transactions. You know, at a minimum, we know it can go down to all
prescriptions excluding controlled Schedule II.

And we actually feel it’s probably just as good

as what you’re going to come up with with Schedule !! as well.
And I think we should just take that as the approach to talk with DEA.

DEA has indicated that they’re backing off what they’ve
originally proposed, so they’ve obviously gotten some opposition to that. And
during that period of time, we have two years – actually, just a few
months because it only started in April – but in preparing for the
security rule and et cetera, we have over two years of experience in working
with it, and I think we should use that as a bargaining point with DEA.

DR. COHN: Do we have any – oh, Harry, I’m sorry; okay.

MR. REYNOLDS: Yes, I have a bit of disagreement that the HIPAA
rule is working in relation to all of this. I think that the current HIPAA rule
requires that if one covered entity has information, that when they transmit it
some way, they know it’s going, and when another gets it, they know. I think
what we heard in the testimony was that the dispenser in this case is
ultimately responsible for the validity of the prescription, is that correct?

MS. ANAGNOSTIADIS: Correct.

MR. REYNOLDS: The validity. So they own this whole concept.
That’s different than in HIPAA. If one covered entity sends it to the other
covered entity,

there’s nobody ultimately in charge. In this process, there is
somebody in charge, and I’d like to make sure we at least add that as a level
because even though they both are covered entities – you have the
prescribers who are a covered entity and you have a dispenser who is a covered
entity, right, under the HIPAA rule? That’s fine, but you also have that
further step where the dispenser is ultimately responsible, and that’s one of
the reasons that I’m satisfied that what they’re doing now is working, because
there is some other law or something out there that that dispenser has to
validate it, and that’s different than HIPAA, because in HIPAA you don’t have
to do it.

So I guess if we were to add language around that, then I could
be comfortable that it’s HIPAA, but there’s also some other law that’s
requiring that dispenser – you add those two together and I would be much
more comfortable that you have a recommendation that carries a little more
– just HIPAA alone I don’t think covers it.

MR. STEINDEL: Harry, can I couch this in kind of HIPAA security
rule jargon so it might make you happy?

MR. REYNOLDS: I’d be happy if you would.

MR. STEINDEL: Because since the HIPAA security rule requires
that there be a risk assessment and then the security systems be put into place
to satisfy the risk assessment, it’s the dispenser that determines what the
risk assessment is because that’s the ultimate party that’s involved with this.

MR. REYNOLDS: I agree, but – and somebody can help me
– is there a law somebody put out that says that the dispenser is
responsible for the prescription, validating the prescription?

MS. ANAGNOSTIADIS: Yes, I believe that a lot of the State
Boards of Pharmacy have that in their regulations.

MR. REYNOLDS: Is there a Federal law?

MR. STEINDEL: No, there wouldn’t be.

MR. ROTHERMICH: It’s really two separate issues, because one is
the recognition that you believe this is a secure enough chain to carry the
prescription, that the HIPAA security rule secures the chain, and whether the
State Boards of Pharmacy accept that as valid security so that the prescriber
by default can accept it as a valid prescription is a state law question.

So the issue you’re raising is really whether the pharmacist is
entitled under state law to rely on the security of this system. But to me
that’s a separate issue than HHS recognizing that’s sufficient security for
prescribing under the MMA directive to create –

MR. REYNOLDS: I was hoping it had become a Federal –
because I was hoping it would add a little more –

DR. COHN: Eleni, maybe you can help me with this one only
because I’m just sort of remembering the State Boards of Pharmacy rules and
regulations. I don’t know the state where at the end of the day the dispenser
isn’t responsible for assuring the validity of the prescription that he or she
receives. Am I in error about that one?

MS. ANAGNOSTIADIS: Yes, I think all the states have some sort
of language. I just didn’t want to blanketly say, in case, you know –

DR. COHN: Well, I guess maybe we’d ask you. I don’t remember a
state board that doesn’t have that as one of sort of the fundamental precepts.

MR. WHITTEMORE: Ken Whittemore with SureScripts. Having been
involving in reviewing basically all the state regulations, I would stake my
next paycheck on the fact that all of them ultimately require the pharmacist to
be responsible for the authenticity of prescriptions, and if they have any
questions, they are to follow up on that.

DR. COHN: Yes, so authenticity – okay.

MR. REYNOLDS: Well, Simon, the reason I was trying to go there
was, as you look at, from the DEA standpoint, on III through V, and you start
thinking about what signatures, which they do now, the fact that that
pharmacist is ultimately responsible I think adds a little more than just HIPAA
security. I think it just adds

another degree. They’re in charge of the chain. And Steve, I
take your clearly, but that’s different than what people think of HIPAA.

DR. COHN: Well, I think this may be part of the observation
here.

MR. REYNOLDS: And HIPAA security is still not clear to a lot of
people, so I think it would help the case. More than be a legal way through, I
think it would help the case as far as why we would recommend something.

MS. FRIEDMAN: I agree with Harry, because at the end of the
day, as somebody said, the pharmacist is on the hook if things go wrong.

MR. BLAIR: So what are we left with with a recommendation that
HHS do?

DR. COHN: Well, it’s something that needs a lot of
wordsmithing.

[Laughter.]

MS. AMATAYAKUL: So far what I have is “HHS should accept
that the initial experience with HIPAA provides satisfactory protection for all
prescriptions” – HIPAA security. “However, the DEA may feel that
there are additional requirements for Schedule II controlled substances.”

And then I have a sentence where I’m not sure where to put:
“Dispensers’ risk analysis must be satisfied that relative to state
regulations they can validate the authenticity of prescriptions.

DR. COHN: Yes, and I think what we’re almost saying is that HHS
should accept the experience with HIPAA security in conjunction with dispenses’
responsibility. We want to reference it higher – provide satisfactory
protection for all prescriptions – because I think that’s what we’re sort
of saying.

And I think the other question I would ask is that the next
sentence needs wordsmithing but I think what we’re saying is not just that the
DEA may feel that additional requirements for Schedule II controlled
substances; basically, I think what we’re saying is that there may be
additional requirements. I think the right sentence there opens the door to a
conversation around controlled substances, and that’s a conversation that needs
to occur between HHS and DEA, and NCVHS has a perspective on this, and
recommendations.

MR. BLAIR: So, out of this there’s nothing that would go
forward which leave any form of these guidelines?

DR. COHN: Well, I think that’s the question. Marjorie?

MS. GREENBERG: Are you asking if we could just accept that the
industry’s experience with HIPAA security blah-blah or are you saying HHS could
accept that the HIPAA security rule, in conjunction with the dispensers’
responsibility to validate and provide satisfactory –

DR. COHN: Marjorie, I think you said it very well – thank
you. You’re right.

MR. BLAIR: For the non-controlled –

DR. HUFF: Simon?

DR. COHN: Yes, Stan?

DR. HUFF: Logistically, I want to let you know that I’m going
to have to leave in about 10 minutes, so I didn’t know if you wanted to try to
do any scheduling of conference calls or other things or –

I mailed my availability back to Maria on the spreadsheet so
you’d have that for consideration, but, anyway, do whatever you want. I just
wanted to let you know that I’m going to need to leave in about 10 minutes.

MS. FRIEDMAN: Thank you, Stan. It’s Maria. I think I’m going to
have to look at everybody’s availability and get back by email —

DR. HUFF: Okay.

MS. FRIEDMAN: — to you because I haven’t had a chance to go
down and check your availability and I need one other person’s.

DR. COHN: Okay. Well, anyway, are we sort of – getting
back to this – are we sort of conceptually sort of getting close on this
one?

MR. REYNOLDS: Yes. This is Harry, and I think Jeff stated it
well. I like the fact that somebody said earlier we were being prescriptive. I
think that this uses frameworks that are in place, this uses laws that are in
place, this uses structure that’s in place. It allows the DEA to weigh in as
they see fit. You could start a pilot tomorrow morning with this language and
you could continue doing whatever needs to get done to continue this MMA going
forward.

And I think it sets the kind of framework that is not overly
prescriptive but on the other hand clearly defined, and whether we want to
mention anything else about the testimony that we heard above, as Margaret
mentioned, maybe it really needs to be moved further up. But I think that way
it bases it on – because I think the industry was real clear, that they
don’t have a single standard on it, when pushed on a couple times, and I think
that’s enough.

DR. COHN: Okay. Well, let’s get back into this stuff because
I’m sort of seeing – I don’t know what you just did, Margaret, but I think
there are actually actions here.

MS. AMATAYAKUL: There may be, but we can add them.

DR. COHN: Okay. Well, I guess from my view, I guess we’re all,
everybody – Jeff, you’re okay, at least until you see it next, until you
get it read? Sorry about that.

MR. BLAIR: That’s okay.

MR. ROTHERMICH: Can I ask one quick question –

DR. COHN: Sure.

MR. ROTHERMICH: — just to Steve’s point earlier? He was sort
of wondering whether HHS might push DEA further to accept this kind of
recommendation for C2s as well. And one of the things we heard in the testimony
was that if DEA went forward with what they were proposing, the likely result
would be that everyone would just keep doing paper for controlled substances,
which is not necessarily a good result because I think there is a recognition
that this system is more secure than paper.

And I just wondered if the Subcommittee might want to take a
position here to push on DEA, based on the testimony, because I think there was
a lot more public input on that subject than maybe was there, and I just don’t
know if you want to go that far.

MR. STEINDEL: I think what Margaret has in there – she’s
maybe doing a little wordsmithing right now – but the second sentence
addresses that. And we’re saying in the first sentence we don’t think we need
it, and in the second sentence, okay, DEA may think that, so we’ll explore it.

DR. COHN: I think there needs to be a lot more than what I’m
seeing right now and I think Margaret realizes that. And I guess my own view is
that there’s a couple of steps here. One is obviously our assertion in the
first sentence. The next one is the recognition that DEA has significant input
for control over controlled substances.

And that HHS needs to sort of explore and probably clarify with
the DEA how controlled substances are to be handled, because I think I was
hearing a fair amount of confusion both in the industry and also about the
State Boards in terms of what exactly the DEA was going to do. And I think the
industry would be served by clarification from the DEA on all of this.

And then I think it’s our position that – I think I was
hearing from the Subcommittee where we believe III through V should be handled
in the same way; Schedule IV may be a particular area that needs additional
research and evaluation to make that determination on it.

But once again, I’m looking at the Subcommittee and I don’t
know if I’m going beyond what others think, but I think that’s where we were
trying to get to with these recommendations.

MR. BLAIR: Can I add one piece to that? And I agreed with your
wording –

DR. COHN: Yes, and then I have a question for Eleni.

MR. BLAIR: I agreed with your wording, and I know we struggled
a lot to sort of get to that, but I happen to think that it is really, really
important because although we’re not winding up saying that this is focused on
the pilot tests, we don’t want to be in a situation where DEA winds up coming
up with something that doesn’t reflect the thinking that’s been expressed in
the Subcommittee meetings now for a couple of months and then blindsides us
with requirements that were not anticipated.

So I think that that clarification and agreement, that HHS
needs to obtain that to make sure that we’re not going forward with assumptions
that DEA completely disagrees with.

DR. COHN: Okay. Now, my question to Eleni was: In the
discussions around controlled substances, do the State Boards need to be part
of that conversation, or is it more that they need clarification like everyone
else?

MS. ANAGNOSTIADIS: I think it would be helpful if they were
part of that process, to have the discussions and conversations.

DR. COHN: Okay.

MS. ANAGNOSTIADIS: I mean, ultimately it’s the authority of the
DEA to make up those regulations.

MR. REYNOLDS: Is it fair to add here a sentence about the
testimony we heard – I’ll throw it out, for example – “However,
from all segments of the industry we heard that if controlled substances,
however they are part, require a significant different security with the
implementation of e-prescribing or they may not become part of
e-prescribing.”

I didn’t word that right, but that’s kind of the message I
think we heard. And what percent that is, whether that’s two to three or 15
percent, is really what it turns out to be.

DR. COHN: Yes, Margaret, you actually have something up there
that’s probably true but I think we were saying something a little different
also, which is that I think we were also trying to say that if a different
security methodology is used for controlled substances, nobody may use e-RX for
controlled substances. So I think we were also trying to say that.

MR. REYNOLDS: I would reference that we definitely established
clear testimony from all segments – prescribers, dispensers and all of the
associated entities in between.

MR. STEINDEL: And the results of one pilot.

MR. REYNOLDS: Right.

DR. COHN: Now, it’s not fair to start

wordsmithing it all. The point is, Margaret, you’re working, I
know.

I’m just looking at the blue sentence in 1.1, so basically how
HHS should – I mean, what we’re sort of saying is here not on how
controlled substances may require additional protection but how controlled
substances should be handled in e-prescribing.

And the rest – I mean, I’m not going to wordsmith beyond
that. It was just that it’s a different thought there.

Well, I guess we should ask everybody: Are we getting close?
Subcommittee members, are we getting closer?

There always is the first draft and we’re – you know.

DR. HUFF: Yes, I’m having a hard time seeing what you’re typing
but –

[Laughter.]

MR. BLAIR: Join the crowd.

[Laughter.]

MS. AMATAYAKUL: Could I read it one last time?

DR. COHN: Well, you should, but I feel like we’re sort of
getting exhausted here on this one. You may want to –

MR. REYNOLDS: Margaret, if I were you, I would

ask for volunteers to take your place. And you are going

to see a lot of hands!

MS. AMATAYAKUL: Our Recommended Action 1.1:

[Reading] “HHS should accept that the HIPAA security rule,
in conjunction with the dispensers’ responsibility to validate authenticity of
prescriptions, provides satisfactory protection for all prescriptions. However,
HHS should clarify and reach agreement with the DEA and State Boards of
Pharmacy on how controlled substances should be handled within
e-prescribing.”

DR. COHN: Yes. And let me just make a comment here. What you
should say is: “However, NCVHS recognizes the DEA has the major role and
provides oversight on matters related to controlled substances.”

MR. BLAIR: Now, on that first sentence, that first sentence I
think is a fair statement of our recommendation related to prescriptions over
e-prescribing networks. We’re not going beyond the e-prescribing networks when
we make that statement. So I think you need to make sure that phrase is in
there to bound it.

MS. AMATAYAKUL: Got it. And then: [reading] “If controlled
substances require a significantly different level of security, no one may use
e-prescribing for controlled substances, and therefore the benefits of
e-prescribing may not be able to be achieved.”

DR. COHN: Yes, and whether that’s there or on an observation,
it’s obviously something that’s obvious to you.

Now, I guess we still have most of the other recommendations to
impact, and I’m thinking of 1.2, which is “HHS should work with DEA to
support analysis in the potential risk associated with sending prescriptions
for Schedule III controlled substances through an e-prescribing network,”
period. Didn’t want that?

MS. AMATAYAKUL: I thought it was –

DR. COHN: I don’t see it. Oh, I see.

MS. AMATAYAKUL: I didn’t think any of those others were needed.

MR. REYNOLDS: I mean, I would agree. I’m not sure we need the
rest.

DR. COHN: Well, okay, I guess I’m missing something then,
because I think that we were urging that Schedule III through V –

MS. GREENBERG: Yes, we lost that.

DR. COHN: — should be handled in the same fashion as
non-controlled substances. Are we not going to make that recommendation? Isn’t
that we’re asking HHS to work with them on this? I thought that we were still
going forward with that. Maybe I’m missing –

MR. STEINDEL: Simon, I’m reading it again, and I

agree with you; we should put somewhere in there that while we
look at III through V a little bit differently than II and we feel III through
V definitely should be handled the same way as all others, as non-controlled
substances –

DR. COHN: Yes.

MR. STEINDEL: — and that should be HHS’s position.

DR. COHN: Yes, and then –

MR. STEINDEL: And we can wordsmith that in, but I agree, it’s
not explicit enough there.

DR. COHN: Yes, and then we’re sort of saying this whole issue
about additional analysis is scheduled here.

MR. STEINDEL: Yes.

MR. WHITTEMORE: Ken Whittemore again. I think you could do that
just by, in the first sentence where it says “the satisfactory protection
for all prescriptions, including Schedule III through V controlled substances,
over e-prescribing networks.”

MR. STEINDEL: I think it’s nice and clean this way.

MS. GREENBERG: Does the Committee believe that the security
rule in conjunction with the dispenser’s responsibility is adequate to provide
satisfactory protection for Schedule II also over an e-prescribing

network?

MR. STEINDEL: That’s my position, until proven otherwise, and I
don’t think I’ve seen anything from DEA that proves otherwise.

MS. GREENBERG: I’m just asking.

MR. REYNOLDS: Especially after we heard the testimony on the
current paper process.

[Laughter.]

DR. COHN: Well, I guess I need to ask everybody specifically
– I mean, I guess I myself, and I’m speaking one vote here, had always
thought of Schedule II as something slightly different, and because of my years
of writing prescriptions, the additional steps one has to go through, and
indeed that’s noted by the State Boards of Pharmacy in many of statements and
practices. So I think it’s a point that needs to be further investigated.

Marjorie, and then Judy – oh, Judy, and then Marjorie.

MS. WARREN: I was just going to say, didn’t we hear, when
Florida testified with their Medicaid program, that because they were using
e-prescribing, they could find a lot more fraud and abuse with the electronic
connected with paper? Well, I would assume that would be the same for a
Schedule II drug, which is one that we’re doing.

So maybe we should say, Action 1.2, that the

controlled drugs, we should have as the same process as above,
because I’d like to keep the controlled drugs as a separate statement from the
non-controlled.

MS. GREENBERG: Well, it just seems if you’re going to have
something in 1.1 about controlled substances, that’s the place to say that
– somewhere, wherever you said it, somewhere else, that HHS should urge
DEA that Schedule III through V be handled the same as all non-controlled
substances and that analysis should be done as to why the – or something
about why Schedule II needs to be handled differently, because it’s kind of
fragmented otherwise. You’re saying they should work with them, and later
you’re saying about III through V.

But it might be just to stop 1.1 at over e-prescribing –
you know, at networks, then go into the statements about your next one, saying
“however, we recognize that DEA has this little – so you need to work
with them” and then make the statement about Schedule III through V and
something about Schedule II.

DR. COHN: So basically Action 1.2 becomes sub out of that next
piece. Or something like that.

MS. GREENBERG: And then make your comment about “if
controlled substances require da-dah –” the benefits may not be
accrued, and in fact, testimony was used, too, that a lot of people won’t use
e-prescribing.

DR. COHN: Okay. Lori?

MS. REED-FOURQUET: Yes, I think you need to include in there
HHS, the DEA, things that need to be worked through, and risk assessment from
DEA’s perspective on the controlled substances. I think we’ve not really not
taken a look. At the existing e-prescribing networks, there is very little
incentive to break security to get an uncontrolled substance. There is a huge
incentive that is available to the general population to the abuse the code
substances of multiple schedules – I think Schedule IV presented as one,
but there are many others.

And so the risk analysis with those incentives and open
networks and access to those people who have incentives has truly not been done
in any of the hearings that I’ve heard here. And I believe that risk assessment
needs to be part of this process with HHS and the DEA to determine whether it’s
a III through V, a IV, maybe V only. We’re almost arbitrarily breaking out
Schedule II in recognizing that it is the one that needs the most security.

DR. COHN: Lori, thank you.

MR. BROOK: But I just want to make a point that somebody just
alluded to a moment ago – this is Richard Brook from ProxyMed –
surrounding the security in the audit trail.

I think, as I mentioned before, ProxyMed does transmit IIIs,
IVs and Vs; however, it’s the pharmacist’s responsibility, again, to call back
to verify or confirm that. However, again, we have not had any issues
whatsoever over the last eight or nine years with doing this where somebody did
break in, looking for, or actually intercepting, the message.

So I think if we’re going to move forward and talk about that,
things that have been – the authentication, the audit trail, all of those
things that when we remove paper from this, there is much more security in
potentially doing III and IV.

DR. COHN: So let’s see if we can sort of take all that and look
at this things. And I think, first of all, we are trying to limit these
conversations and recommendations to e-prescribing networks, and I think we’ve
indicated, I believe, that we think there’s probably more stringent measures
– and I don’t know if they got lost here, but more stringent measures are
probably necessary if someone gets into a more open network for e-prescribing.
And I think we’ve said that, correct? I’m just not sure whether that got lost
in all of this or –

MR. BLAIR: Well, actually, Observation 2 starts to address
that process.

DR. COHN: Does it? Okay.

MR. BLAIR: Yes.

MR. REYNOLDS: Simon?

DR. COHN: Well, I just think we need to make sure that that
gets handled in the appropriate places in all of that. Now – I’ve lost my
train of thought. Harry?

MR. REYNOLDS: You know, if you were sitting on the other side
of the table, if you were DEA, obviously when we talk about what the current
process is where the dispenser could send back a response to the prescriber,
when you get to Schedule II, maybe you require something like that.

I mean, there’s ways to take the current process, require
pieces of it that you could upscale so that basically any time there’s a
Schedule II – so you’re leaving the framework. You may require pieces of
it differently back to the prescriber or others. Right now, if there’s a wet
signature, a person may fill a Schedule II, but electronic, if a Schedule II
came across and a message was sent back to them, then you’re absolutely at a
higher level now than you have now with paper, even than you have now with
anything, because – so those are the things that I think, the structure
that we painted in our observations up front, those are ways – and I would
hope that the DEA and HHS would look at it and maybe for any controlled
substance, require some things like that.

So those are thoughts. So I think our structure allows a
ratcheting down without changing the whole industry and what we had up there.
That’s just an example.

DR. COHN: Okay. I don’t know what to do with that, but –

MR. REYNOLDS: No, I’m trying to cross-check as to whether
there are ways – we talked about a process because the things that right
now might be optional could be made mandatory.

DR. COHN: Okay. Now, Margaret, help us with this. How much
more do we want to work on this version with you taking it back and
wordsmithing? I think what we’re –

MS. AMATAYAKUL: I’m more comfortable now than I was when I
asked that earlier question —

DR. COHN: Okay.

MS. AMATAYAKUL: — so I think we could probably go forward.

DR. COHN: Okay.

MS. ECKERT: Can I ask one quick question?

DR. COHN: Sure, please.

MS. ECKERT: Karen Eckert from Medi-Span.

In Recommended Action 1.1, when we used the word
“prescription” in the second line and “all prescriptions”
in the third line, are we saying controlled and non-

controlled? Because you break out the controlled later, so I
think by doing that, it gets confusing in 1.1 if you’re referring to both or
because you didn’t specifically say almost parenthetically controlled and
non-controlled afterwards. People may think we’re trying to do two different
things.

I thought that’s what we were saying at one point, and then
when we started adding the other recommendations, I kind of lost that point.

DR. COHN: Okay. So let’s take a read of 1.2 and 1.3 just to
see how close we are.

MS. AMATAYAKUL: Shall I read 1.2?

DR. COHN: Please.

MS. AMATAYAKUL: [Reading} “NCVHS recognizes that the DEA
has a major role in oversight on controlled substances. HHS should clarify and
reach agreement with the DEA and State Boards of Pharmacy on how controlled
substances should be handled within e-prescribing. HHS should urge DEA to
conduct a risk analysis to support that Schedule III through V is handled the
same as all non-controlled substances.

The controlled substances require a significantly different
level of security. No one may use e-prescribing for controlled substances, and
therefore the benefits of e-prescribing may not be able to be achieved.”

DR. COHN: Okay. I guess the one question I’d have, I think one
of our people who commented sort of talked about the risk analysis for level
III to V. I don’t know how you do a risk analysis where it looks like you
already know the answer. Well, it says, “risk analysis to support that
Schedule III may be handled the same as all non-controlled substances.”

MS. ANAGNOSTIADIS: How about something like “to determine
whether or not controlled substances can be handled the same way as
non-controlled substances?”

DR. COHN: Okay, maybe that’s – “to determine”

MR. BLAIR: And I think the thing that would help in that
sentence is that this is a risk analysis within the context of an e-prescribing
network.

DR. COHN: Okay. Well, now, I guess I just want to bring up the
question – I mean, are we – we have moved now from the same III to V
and now we’re talking about risk analysis be conducted. What is the feeling of
the Subcommittee? I mean, because this is a change in recommendation. Maria,
did you have a comment on that?

MS. FRIEDMAN: I do. I’m not sure. I mean, DEA may have
conducted this risk analysis, for all we know, and we’ll find out when they
write things out; it would be in an impact analysis. We just don’t know.

DR. COHN: Marjorie, please.

MS. GREENBERG: Well, I feel like I’m now in a sense
contradicting what I said earlier because, in fact, HHS cannot unilaterally
accept that the HIPAA security rule is fine for all transactions because, in
fact, as we say in 1.2, HHS doesn’t have control over controlled –

DR. COHN: We said back in 1.1.

MS. GREENBERG: No, but I think you could say “HHS should
take the position that –”

DR. COHN: Thank you. That’s very good, thank you.

Okay, now let me get back to that question, though. Is our
recommendation that HHS as the next step regarding III through V, is it our
position that they need to conduct a risk assessment to evaluate whether
Schedule III could be handled in the same way? Or we had been making the
stronger assertion before this. This basically becomes an action to study now.

I guess I would ask the Subcommittee whether that’s their
current position or whether our position is that it should be handled the same
way. Lynne, were you going to comment on this or were you – okay. So let
me just ask: Where are we on that particular recommendation?

MR. BLAIR: I think we’re okay.

DR. COHN: Okay, so you want to do the risk analysis?

MR. BLAIR: Yes.

DR. COHN: Okay, and then we’re going to have them do a separate
risk analysis about Schedule II?

MS. WARREN: The risk analysis tells whether the Schedule III
through V can be handled?

DR. COHN: Okay, I guess I would ask, then: Why are we at that
point if we’re asking them just to do a risk analysis? Why are we only doing a
III through V as opposed to II through V?

MS. WARREN: Right. It should be all of them.

MS. AMATAYAKUL: But if you do that, then your position is that
you want to open it to all controlled substances as opposed to urging them the
III through V.

MR. STEINDEL: I think we just want to word it so that even
though the scope of the risk analysis covers them all that the risk for
Schedule II – they need to be three separate risks analysis and see if
– I just don’t want a situation where you wind up saying Schedule II
becomes the bar for everything else.

DR. COHN: Okay. Let me just make a comment here, and I
certainly am only one vote on the Committee, but I am concerned that we appear
to take, at least in perspective, a giant step backwards in this recommendation
and I’m not myself willing to support – and it’s my vote that we move from
stating that III through Vs are okay

versus III through Vs need a risk analysis.

MR. STEINDEL: I agree with you, Simon.

DR. COHN: I think we just take a poll of the Subcommittee
because if I’m off on this one – I mean, I’m one vote, but I am not
comfortable with this one personally. So –

Well, before what we were saying is that III through Vs should
be handled the same way. What we’re saying here is that DEA should conduct
– we’re urging them to conduct a risk analysis to figure out what their
position ought to be. And my view was is that we need to do a risk analysis on
II but that I think we had reached a recommendation on III through V, or at
least a perspective on what ought to happen.

MR. BLAIR: Oh, I see what you’re saying.

MR. REYNOLDS: Where’s that wording, Margaret?

MS. AMATAYAKUL: So you could say –

MR. REYNOLDS: No, no, where’s the wording Simon described?

DR. COHN: Oh, it’s HHS should work with DEA to clarify –

MR. REYNOLDS: No, no, I’m talking where you originally said we
took a stand. I just want to see that.

DR. COHN: Yes, Margaret, let’s see.

MS. AMATAYAKUL: What I’ve added in red is what

we formerly had and what we changed it to is in black here. So
we originally had “HHS should work with DEA to clarify that III through V
should be handled the same as non-controlled substances.” What we changed
it to is “HHS should work with DEA to determine the risk analysis, whether
Schedule III through V can be handled the same

as –”

MR. REYNOLDS: No, I’m in 1.1, because that’s what Simon’s
referencing.

DR. COHN: No, I’m referencing 1.2.

MR. REYNOLDS: You said we took a stand at some point.

DR. COHN: Yes. 1.2 used to be an assertion that we – and
let me just see if we’ve got the –

MS. AMATAYAKUL: Well, the very original 1.2 wasn’t quite the
same.

MR. REYNOLDS: Let me make it simple. Simon, I agree with you.

DR. COHN: Okay!

MR. REYNOLDS: I totally agree. I thought you meant – I
thought we had put in – I was going back to make sure it said it.

MR. BLAIR: So the risk analysis should be on Schedule II only,
is that correct?

DR. COHN: Right. And once again, I just wanted

to say – I guess I need to poll –

MS. WARREN: I know where we got wrong is –

MS. WARREN: You made mentioned from ASTM that a risk analysis
hadn’t been done on the others and that maybe it should be done.

DR. COHN: The microphone?

MS. WARREN: Well, I think where we went wrong is we heard a
previous comment that risk analysis had not been done on III to V and maybe
that should be done. And so that’s where we got to this point.

DR. COHN: Right.

MS. WARREN: But agree back with you. Previously, we had
discussed that we already thought that III to V could be handled with
e-prescribing with the security that was in place. So I’m supporting what you
said, Simon.

DR. COHN: Okay. So, okay, so I guess I’m hearing everybody
supporting this.

You know, we’re in a position where obviously our role is to
take testimony and comments and parts up to this are sort of putting together
all of the testimony and reflecting on testimony and statements made. These are
actually recommendations that we’re making about next steps, so this is
obviously a refinement and it becomes our judgment on this. So, Eleni?

MS. ANAGNOSTIADIS: I just have a comment about the first two
sentences on Recommended Action 1.2. By reading “NCVHS recognizes that the
DEA has a major role in oversight on controlled substances,” it seems like
there’s another entity that has some type of regulatory authority over it

DR. COHN: State Boards?

MS. ANAGNOSTIADIS: — so I think it should be that they are the
authority over controlled substances, so I would make that a little stronger.

And then the second sentence, and I think I might have
misunderstood you when you asked if you felt the State Boards should be
involved – if you say HHS should clarify and reach agreement with the DEA,
I think you got to remove State Boards of Pharmacy because we have no authority
over making regulations for controlled substances.

Now, if they want to consult with us, that’s a different story
and we would be happy to enter into a dialogue, but when you’re talking
clarifying and reaching an agreement regarding controlled substances, I think
that the State Boards of Pharmacy need to be removed there.

DR. COHN: Okay.

MS. ANAGNOSTIADIS: Or in consultation with – you know.

MS. AMATAYAKUL: So, would it be appropriate to

add in the third sentence, “HHS should work with DEA and
in consultation with States Boards” there?

MS. ANAGNOSTIADIS: Again, if you’re talking about the
clarification based upon the testimony that the DEA provided, I mean, I guess
that’s where we’re getting that statement from. By clarifying, am I correct or
is it just our assumption that that’s what it needs to be?

But if you’re clarifying that III through V should be handled
the same way, I would think that it would be based upon the testimony that the
DEA gave saying that they would be willing to look at different processes.

Again, we’re happy to work with the DEA, but we can’t make
– you know, we’re not the final authority; we can’t say, yes, this can be
done, or no, this cannot be done.

DR. COHN: Okay. I guess my only question, obviously why I’ve
had you come up and sit with us, is that I know the State Boards play a
different – an additional role –

MS. ANAGNOSTIADIS: Right.

DR. COHN: — in all of this stuff, and once again, it may be my
misunderstanding, but I’ve always sort of thought of the DEA as the floor and
then the State Boards might add additional things on top of it. Did I
misunderstand your testimony yesterday?

MS. ANAGNOSTIADIS: No, no, no. You’re absolutely right. But
most likely the State Boards won’t go more stringent than what the DEA requires

DR. COHN: Okay, so maybe that’s –

MS. ANAGNOSTIADIS: — in notification.

DR. COHN: — less of an issue, then. That was my main –

MS. ANAGNOSTIADIS: Right.

DR. COHN: — concern there. Okay.

Margaret first, and then you.

MS. AMATAYAKUL: Could we ask Eleni then to look at 1.3 where we
have DEA and State Boards and see if that’s appropriate also?

MS. ANAGNOSTIADIS: Yes, that’s fine, to work with – oh, to
support additional analysis of the potential risks. But you talk about earlier
to clarify —

MS. AMATAYAKUL: Yes, okay.

MS. ANAGNOSTIADIS: — whether or not they could be handled, so
I don’t think that falls under our purview.

DR. COHN: Well, I appreciate that.

MS. HELM: Hi, this is Jill Helm with Allscripts again. I have a
bit of a different perspective.

We see that State Boards as well as the DEA have a role in
controlled substances, particularly in the transmission of controlled substance
prescriptions. I

mean, if you look at, for example, paper processes, the states
have a very active role in determining the triplicate requirements and what the
controlled substance prescription blanks look like. And many states have
addressed the issue of electronic transmission of controlled substances either
by deferring to the DEA or looking to put some regulations in place perhaps
would be in addition to anything that the DEA puts forth.

So I think it’s appropriate to include them in this process so
that there’s not inconsistency. What I would not want to see is a different
requirement for controlled substance Part D prescriptions versus just
controlled substance prescriptions for the general population.

DR. COHN: Okay. I’m thinking of how to include this. I think
maybe there’s a separate sentence here that basically HHS should work with
– maybe we’ll call them all “the states” because I think I heard
from Eleni that sometimes they’re in different agencies that are involved with
this in addition to State Boards –

MS. ANAGNOSTIADIS: That’s true. Some have –

DR. COHN: — basically to assure to the maximum step possible
that there’s uniform application of – I don’t know. Harry, do you have the
last part of the sentence –

MR. REYNOLDS: Yes –

DR. COHN: — and a question? Oh, let’s get to Maria.

MS. FRIEDMAN: Are you talking about to facilitate e-prescribing
over secret networks? Are you talking about use of standards where we talk
about –

DR. COHN: I’m talking about for controlled substances,
application of –

MS. FRIEDMAN: Is it requirements for electronic controlled
substances?

DR. COHN: Yes, application of requirement – maybe there’s
requirements for –

MS. FRIEDMAN: Whose requirements? It’s usually the DEA is the
floor.

DR. COHN: Yes, it’s uniform –

Why don’t we stop on this one and we’ll figure out the
wordsmithing and whether it’s – yes, sure won’t come to me right now. So
to mark that it needs to be wordsmithed.

Lynne, you’ve been very patient. Why don’t I let you –

MS. GILBERTSON: Lynne Gilbertson, NCPDP. It’s been interesting
because we’ve now walked through the comment I wanted to make which Jill made
it, and also to where we cite working with the Boards or working with whatever
to also include working with the industry, because

that’s where your knowledge comes of how you apply, and it’s
one thing to build a regulation or a floor but you want to make sure it has a
proof of concept with what the industry can support as well.

And given that there’s a lot of hard definition changes,
clarifications, modifications that have occurred in the State Boards where the
definitions of a lot of these e-prescribing, e-signature, digital certificate,
all those kinds of things, I think you need the industry involved to help tie
some of those loose ends up in these discussions.

DR. COHN: Thank you.

MS. ANAGNOSTIADIS: Lynne, were you talking about under
Recommended Action 1.3 or –

MS. GILBERTSON: 1.2 and 1.3.

MS. ANAGNOSTIADIS: Okay.

DR. COHN: Well – okay. Maybe, and actually that’s what I
was having trouble with – maybe it’s HHS should work with the state and
its representatives to insure to the extent possible there’s uniform
implementation of DEA requirements for e-prescribing of controlled substances.

MS. ANAGNOSTIADIS: And I think that’s nice and clean because it
defers to the DEA at the top, knowing that they’re the authority to make those
baseline guidelines.

DR. COHN: Are we okay? Oh, please –

MR. REYNOLDS: MMA preempts state law.

DR. COHN: Yes, for Part D.

MR. REYNOLDS: We just put up there to bring the state law back
in – I think.

DR. COHN: Well, no – let’s go back and visit – this
is almost our transition to the NPRM. If you remember what happens under the
concept of federalism, Part Ds are covered by MMA, Part D prescriptions, but
not all e-prescribing –

MR. REYNOLDS: I agree.

DR. COHN: — except to the extent that it interferes with Part
D prescribing.

MR. REYNOLDS: Right.

DR. COHN: And so what we’re right now doing is we’re
continually calling for that everything should be the same, and so this is
where we’re trying to go with on this one, across states. Does that make sense?
I mean, that’s why people work together to get uniformity.

MR. REYNOLDS: I understand. I’m just –

DR. COHN: Is that okay?

MR. REYNOLDS: — double-checking.

DR. COHN: Okay. I think that was where we were going. Okay. Do
you have a question? And then I want to begin to transition a little bit here.

MS. FRIEDMAN: I have a question, because now

we’re asking HHS to kind of help DEA enforce or implement their
regulations?

MR. BLAIR: No. At least I hadn’t heard anything –

MS. FRIEDMAN: It says HHS should work with DEA to – it’s
that next sentence – HHS should work with states and industry
representatives to assure to the extent possible that there is uniform
implementation of DEA requirements for e-prescribing controlled substances. Do
we really mean that?

I don’t think we ought to let the DEA –

MR. BLAIR: Maybe it’s guidance, uniform application, rather
than implementation.

MS. FRIEDMAN: I just don’t see where HHS has a role —

MR. BLAIR: — Maybe you meant “consistent.”

MS. FRIEDMAN: — in working with the states to effect
implementation of DEA regulations. We have enough trouble with our own.

DR. COHN: Okay, I’m going to suggest, without solving this
particular one, we may want to remove that whole sentence, but I will defer to
the next version of this one. I think we’re wordsmithing to the point where we
can’t even see the recommendations anymore. Yes, I think we need to let
Margaret work on this, and I think things

have gotten a lot simpler, which is good. We actually
understand even some of the terms that were a little fuzzy.

Now, do we want to talk about the recommendations in 2 at all,
at this point?

MR. BLAIR: Let’s get at least initial reactions to it.

DR. COHN: Okay, and then I’d like to spend a couple minutes
talking about the NPRM response and all of that. Marjorie?

MS. GREENBERG: Is this letter going to include anything about
the other areas that you deferred from your November letter?

DR. COHN: We’re going to talk about that for a minute, too.
Thank you. But let’s talk about the recommendations – I don’t know; do we
need to read through the entire Observation 2?

MR. BLAIR: I don’t need – as long as everybody else could
see them, I remember what they are.

MS. AMATAYAKUL: So Recommended Action 2.1 is:

[Reading} “HHS should conduct pilot tests to evaluate the
feasibility of adopting stronger authentication and non-repudiation measures
such as provided for through PKI. These pilot tests should be conducted in the
general prescribing community and test the ability to scale adoption of these
security services for e-prescribing across prescribers and dispensers in
multiple environments.”

MR. BLAIR: Now, understand that the observation indicated that
this is to apply to anticipate that there might be the requirement to send
prescriptions over the open Internet.

MS. FRIEDMAN: And my question is: By pilots – we talk
around the word “pilot” all the time, and to me, since I’m so MMA
focused, to my mind, pilots, at least in a very narrow view, refers to what’s
required under the MMA. And sometimes – and this is an example – we
might want to have pilot kind of outside, other pilots going on in other
places.

I just want it clarified. Do we want to have this under the MMA
pilot for 2006 or are you talking about testing additional functionality and
piloting it in some other way?

MR. BLAIR: Well, the thing is, at least I was thinking –
and again, this may not be feasible, Maria, because whatever constraints you
may have – yet I was envisioning that there was going to be multiple
pilots and that probably the great majority of the pilots would be over
e-prescribing networks, and this was just indicating that under the coverage of
the MMA with the pilot tests beginning in January 1st, 2006, that
there be at least one pilot test that would prepare for the possibility of the
future where things would be over the open Internet.

So, yes, I was thinking of it within the MMA.

DR. COHN: Though luckily it’s ambiguous. Lori, and then Harry.

MS. REED-FOURQUET: I actually want to make a comment on the
observation up above and I don’t recall exactly where it said it where you
described the current process, by use of either the private leased lines –
below there, right there – “these authentication measures are
bolstered by use of either private leased lines or security protocols,” et
cetera.

There is an implication there that the other protocols are also
being conducted over private networks as opposed to the open Internet, and
you’ve been very clear in other places to distinguish open Internet. If those
security protocols you’re referring are server side SSL, then that is being
conducted over the open Internet and it is simply assuring encryption between
the end user and presumably the application service provider, and it is
assuring server side authentication, meaning that you’re not going to trick the
end user application into going to a false location to conduct their business
and transactions.

DR. COHN: Well, that’s a very good point. Thank you. Harry?

MR. REYNOLDS: Based on what we’ve said above, I’m not sure that
this observation matters anymore. We are basically saying it’s under the HIPAA
rule, the dispenser’s responsible, you got to secure it, you got to validate
your security. And I think the point that was just made is some of this stuff,
there’s business related to HIPAA going all over the Internet right now.

And the point is, it better be secure, and you’re on the hook,
and you’re in trouble if you don’t do it.

And so I’m not sure that parsing it out here does anything plus
or minus.

MS. FRIEDMAN: Aren’t you trying to open the door, though, for
the open Web-based applications? That’s where I thought you were going with
this, Jeff. Am I wrong? And that’s where you’re making this distinction.

MR. BLAIR: Well, there’s a phrase in the observation that when
you’re looking at the e-prescribing networks, there’s a level of security, an
authentication where we don’t want to impact the business case of the
e-prescribing networks, we don’t want to – you know, all of the things
that were listed that the industry testified to us.

On the other hand, if we don’t include some pilot testing of
the feasibility of PKI for the future in environments that are not in the
e-prescribing networks,

then we’re just, I think, leaving ourselves vulnerable for the
future, not having tested them, and as we go forward here.

DR. COHN: But Jeff, let me ask an odd, and maybe awkward,
question to you, and I will apologize; I’m not a security – my title’s not
director of security for my organization. But obviously we have been using the
term – what?

MS. GREENBERG: I said, thank goodness! You have enough to do!

DR. COHN: I have enough to do – okay. But we obviously in
a number of places mentioned over the open Internet that I think that at least
what Lori was asserting in her comment just now is that an organization that
uses SSL at least technically is doing something over the open Internet.

DR. FERRER: Can.

DR. COHN: Can be over the open Internet.

MS. REED-FOURQUET: It is a “can” and I believe that
there are a number of current implementations whereby the physician’s interface
to their application service provider is being conducted over the open Internet
through SSL server side protection only, user name and password. Hand-helds,
PDAs that are accessing a service over wireless communications, for instance.

DR. COHN: Okay. Lori, thank you. What I’m just reflecting on is
that I think we need to go back and look at the background and everything else.
But I think we’re still talking about the HIPAA security and the risk analysis
and all that, but – Steve? – I’m just bringing up this additional
wrinkle.

MR. STEINDEL: I kind of agree with Harry. I’ve had a problem
with this observation in these recommendations since I first saw it and I think
we’ve got it pretty much covered under 1. And I am reluctant to propose a pilot
for PKI under any guise, e-prescribing or anything else, at this point in time.

DR. COHN: Margaret, and I guess we need at that point to take a
poll of the Subcommittee to see where we want to go with this one. Margaret?

MS. AMATAYAKUL: I would just like to remind everybody that the
CMS Internet policy is still in force that does not allow for claims to be
transmitted over the open Internet. And so I think that that should just be in
your thinking as to whether you want to do this or not.

DR. COHN: Margaret, thank you. Lori?

MS. REED-FOURQUET: Regarding the PKI pilots, we would like to
see a convergence between the health informatics standards, the health
information system vendors’ approaches to security and digital signatures which
we are moving forward with to be able to be piloted in conjunction with the
electronic prescribing pilots.

DR. COHN: Lori, thank you. You know, we have a couple of
options on how to handle Observation 2. Certainly, one position is sort of
what’s here, and certainly Maria has asked for clarification about whether or
not this is a 2006 pilot, so this isn’t really HHS but CMS pilot, or whether
it’s some other kind of pilot.

And then, of course, the observation’s been made about whether
or not there ought to be any pilots whatsoever or whether the Subcommittee and
full Committee ought to be silent on this issue.

Obviously, we’ve got sort of multiple choices here and so I
think we need to decide where we are on all of this. Maria?

MS. FRIEDMAN: The reason I’m asking for clarification is that
CMS and the Department take these recommendations very seriously, and so I just
want to make sure that we’re clear on what it is you’re asking to be done and
what time frames, because if it’s an MMI A-pilot, you know, it’s a very short
time frame and the technology is very different than it would be if you were
going to look to see if this is more a feasibility kind of thing in a broader
perspective.

DR. COHN: Okay, Mike, maybe you have a comment.

DR. FITZMAURICE: There’s a companion point of view in that this
may be the only pilot testing that the government does and so that if there’s
something important, you may want to put it in here. I’m not saying that PKI
is, given some of the difficulties we’ve heard, but balance those two thoughts,
if you would.

DR. COHN: Well, I’m trying to think of how for us to make a
decision on this one and I guess the question is, I think the first question is
whether or not there needs to be pilots, I think, and then the second question
is what is the timing.

And I think we need to sort of figure out from the Subcommittee
– this almost feels to me like a research agenda when you say that,
because to my knowledge there has not been a breakthrough in technology that
has occurred since we started hearing testimony that tells me that there’s an
entirely new thing to be tested, so I think the view might be that this
technology will continue and improve. Biometrics and other methods of
authentication will get better.

And so I guess my question would be, you know, it’s hard to
imagine there’s a 2006 answer, Jeff, unless I’m missing the point here. And it
may be actually a longer term agenda, which may mean it’s really an ARHQ issue,
I don’t know –I’m looking toward Mike Fitzmaurice

as I’m saying that.

But the question, first of all, of course is whether we want to
say anything at all about it.

MS. FRIEDMAN: I think this reaches back to a fundamental issue
that we’ve had and that we’ve been trying to address, is how to you deal with a
continuum of technology and craft something that’s workable today but leaves
open the door for the rapid development and adoption of technology as we go
forward? Because you don’t want to lock anybody into anything at the moment in
some ways, but on the other hand, you want to leave that door open.

MR. BLAIR: Well, Maria, what would you recommend?

MS. FRIEDMAN: I don’t know, because I’m having the same
struggle that everybody else has had in trying to craft these with an eye
toward the future.

MS. AMATAYAKUL: I’m wondering if the requirement in Observation
1 isn’t to comply with HIPAA that requires continual evaluation and risk
analysis; as technology and your environment changes, that that would be
handled, that PKI would be handled as a result of being required to do a
continual evaluation under HIPAA.

MR. REYNOLDS: Which right now includes the viruses and
everything else that you have to deal with in your security network.

MS. FRIEDMAN: Again, it’s not just PKI; it’s the whole
biometric issue. I mean, as that technology comes on line and it becomes
increasingly more sophisticated – it’s coming; it’s going to be here soon.
It’s just not quite here today.

MR. REYNOLDS: Simon, if you think about, you know, we heard, we
recommended what ought to happen and we recommended that DEA’s is going to have
to weigh in on controlled substances, and once the DEA weighs in, and if they
put the hammer down on non-repudiation and some other things, then it’s much
easier for me to recommend pilots of things than right now picking out a pilot
on some things and say, “Go try this,” because they will be the
reason, at least initially.

They will be the reason that this thing gets changed
dramatically one way or the other, because I think the security rule, there’s
people doing a lot of business under that security rule right now that have the
same ramifications and everything that this does, and so I’m not sure that
picking out a technology or recommending this or that, because they may pick
something totally different. They may say, yes, and if we’re dealing solely
with e-prescribing, we’ve said we’re good with what’s going on except we want
to hear what the DEA says or whether they ratchet something up, and once they
ratchet it up, then we

have to sit down and understand what ratcheting it up means.
And then we may discuss whether or not – first, we discuss whether or not
controlled substance or other things are in, and if they are, then what would
we want recommended a pilot be to allow them to continue in e-prescribing, or
does it blow it up, for example, it’ll never be?

DR. COHN: I guess I’m sort of struggling here, and once again
I’m just sort of looking at the Subcommittee members to sort of see where we
are. My perspective on this – maybe I just sort of asked – I mean,
Harry, what I’m hearing from you is that you think that we should be silent on
Observation 2 and remove it completely.

MR. REYNOLDS: I do.

DR. COHN: I guess my view this is a recommendation that’s
really more of a long-term research agenda that we’re recommending to HHS that
they need to be looking at methods of improved authentication as well as
non-repudiation such as PKI and biometrics but probably not limited to that not
only for e-prescribing but also as we move towards the NHII. And to my view,
the case gets a lot more as we begin to bump all those things on. And I think
framed in that way, I’m very comfortable with it. But that’s not 2006 pilot;
that’s not exactly where Jeff was. So, Harry’s going north, I’m going east,
Judy, are you

going south?

[Laughter.]

MR. REYNOLDS: No, Simon, I’m going with you. I have no problem
with recommending that because this is a changing environment, because there
are other things on our plate with everything else that’s come along, that they
continue to review it and take e-prescribing and other things into
consideration. I don’t have a problem with that. Whether or not we pilot it, we
recommend a pilot, or a type of pilot, or something else, based on
e-prescribing, that’s the only place we differ.

DR. COHN: Okay.

MR. REYNOLDS: I agree with the recommendation. I just don’t
want to lock in a pilot.

DR. COHN: So you’d be more comfortable with the research
agenda.

MR. REYNOLDS: Yes – northeast.

DR. COHN: Okay – northeast, okay.

[Laughter.]

DR. COHN: Judy, where are you?

MS. WARREN: I guess I’m uncomfortable with recommending a pilot
right now because I’m not sure where it fits in because it’s really going to
depend on what DEA says on what’s going to happen.

Now, whether or not we have Observation 2, at

this point, I don’t know. I need to sit down and take a look at
what we’ve written and think about it some before I can really answer that.

DR. COHN: Okay, so what –

MS. WARREN: Going in circles is kind of where I am right now.

DR. COHN: Okay – well, that’s okay. Jeff?

MR. BLAIR: Let’s give the Subcommittee time to think about
this.

DR. COHN: Okay. Well, I guess the question would be – we
don’t need to make a decision today, but it seems to me that we need to sort of
put together maybe another straw man that talks about alternatively some sort
of a research agenda as described so that we can look at both and see how we
feel for the conference call. Does that make sense?

MR. BLAIR: Yes.

DR. COHN: Okay. Lori – comment?

MS. REED-FOURQUET: Okay. Can it be worded in such a way that
should a pilot be proposed in response that doesn’t include it that it is not
precluded because it is defined as a long-term agenda, as opposed to something
that perhaps might begin in 2006?

DR. COHN: I didn’t quite understand what you were saying.

MS. REED-FOURQUET: Well, I think you’re grappling with do you
want to specifically recommend that PKI be piloted as part of the 2006 request

DR. COHN: Right.

MS. REED-FOURQUET: — which would mean that you would
specifically put out an RFP, I assume, that asks for somebody to specifically
proposed it. However, if your RFP is put out in the more general format where
somebody does propose that, that it might not be precluded from the 2006 pilots
because you’ve determined it to be a long-term research agenda.

DR. COHN: I see, okay. Well, that makes – I’m not writing
the RFP, as you can imagine.

MS. REED-FOURQUET: If that’s the recommendation –

DR. COHN: I see.

MS. REED-FOURQUET: — if you’re drafting it.

DR. COHN: Okay. Good point.

Okay, have we exhausted everybody? Steve? We need to move on to
some other items here about – it’s right now 12:08.

MR. STEINDEL: Yes, I know.

DR. COHN: And we will adjourn, as commented, at 12:30. Now let
me move on to a couple of other issues.

Now, obviously, Maria, number one, is going to

schedule probably two or three conference calls — my bet is
it’ll be three, over the next two weeks – assuming she can figure it out,
and we will do our best to get a majority of members of the Subcommittee. It
may not always be the same majority, but she will do the best she can with
that.

Now, Marjorie, I think, brought up the issue of what else are
we putting in here, and clearly there’s an issue, and I’m assuming, Margaret,
that you need to place in here language from the Privacy and Confidentiality
Subcommittee, and that’s number one.

Number two, and I think this is what Marjorie was also asking
about very appropriately, is what other recommendations do we need to be making
about any of the issues that have sort of come before us?

And if you’ll remember, there are three items, four items, that
we had identified as we would be giving additional advice to the Secretary on,
and they included the formulary –

MS. AMATAYAKUL: And formulary identifier.

DR. COHN: Well, no – maybe we’re talking about — I’m
looking at the recommendations; I’m not looking at the next steps.

MS. AMATAYAKUL: This is a list of stuff that I took from the
first letter.

DR. COHN: Okay. And what I’m looking for are things that we
specifically said we were going to be providing additional advice and guidance
and things that we suggested, I think, additional advice and guidance were the
RxHub standard that related to formulary as well as the RxHub medication
history, both of which were going through the NCPDP process.

And I think we had said that we were going to try to give
additional guidance to HHS on those, is that correct? I don’t think we’ve ever
said that sig, for example, was something that we were providing additional
guidance to decide whether it was going to be a foundational or
non-foundational standard.

MS. AMATAYAKUL: This list is only from the next steps.

DR. COHN: Okay – and I’m not referring to the next steps

MS. AMATAYAKUL: Okay.

DR. COHN: — at this point. I’m referring to actual
recommendations where we said we’d give additional guidance.

I think my memory is that there were only two areas, there may
have been another –

MS. GREENBERG: Was there anything about the other type of
history?

DR. COHN: About the other kind of what?

MS. GREENBERG: Not just medication history but medical –

DR. COHN: No. Okay, that’s not what I’m talking about. I’m
talking about within the recommendations, that we had other things. She has
that list.

MS. GREENBERG: You have the letter.

DR. COHN: Okay, but what I’m referring to, is, for example, in
Recommendation – let’s see – “NCVHS will closely monitor the
progress of NCPDP’s developing standard medication history, for example, for
communication, and provided advice to the Secretary in time for adoption as a
foundation standard and/or readiness for the 2006 pilot test.” It was that
type of recommendation I was referencing right at this point.

And I guess what I was at the beginning commenting on that I
didn’t think we heard enough – I don’t think we can tell the Secretary at
this point anything more than we already know about either of those standards
at this point. Sounds like they’re in process –

MR. REYNOLDS: Is it important to mention that we did hear
further testimony on their status and especially on those two where it is?

DR. COHN: Well, we could.

MR. REYNOLDS: And if they meet – I don’t

remember Lynne’s dates exactly – but if some of them meet
the schedule, then we may later this year –

DR. COHN: Provide additional guidance.

MR. REYNOLDS: Yes, that’s a possibility.

DR. COHN: Yes.

MS. FRIEDMAN: Because the reg leaves open the possibility of
adopting some foundation standards and formulary and medication history
standards, providing they get through the process, and they can be adopted as
foundation standards without further ado.

DR. COHN: Well, let me think what “further ado”
means.

[Laughter.}

DR. COHN: Let me think about “further ado.”

MS. AMATAYAKUL: It sounded to me like the NPRM was saying that
they had set place holders for these two areas and that they wouldn’t have to
do another NPRM –

DR. COHN: Okay.

MS. AMATAYAKUL: — just to address these two areas.

DR. COHN: But I think by “further ado” I mean –
I guess the reason I was so struggling with further ado – was the industry
being surprised in November with additional things without any further
discussion, and I guess I was a little concerned about that.

But I guess we need to see what the industry thinks as we move
forward. Yes, Mike?

DR. FITZMAURICE: The Committee could say we’ve heard reports
and we believe that progress is coming along very satisfactorily and it could
be even speeded up with HHS support.

DR. COHN: Actually, I don’t know whether I heard the last part;
is that true? Or maybe we didn’t hear that. I heard progress is moving forward.

MS. FRIEDMAN: Didn’t Lynne say that they may be coming back to
ask for additional support from us?

MR. REYNOLDS: For other items, not these two necessarily.

DR. COHN: Yes. I think that’s all we can say.

MR. BLAIR: We said “monitor” I think was the word.
Yes, we said we’d monitor progress.

DR. COHN: So I guess what we can do is report that we are
monitoring the progress and that we will be having additional public sessions
this summer, it sounds like, hearing from NCPDP, because I think what I heard
was that they were in the midst of balloting but it may need to go to a second
ballot, so it’s a little unclear.

MS. FRIEDMAN: One was a little farther along than the other.

DR. COHN: Exactly. But I think Margaret should

put together some wording on this one.

MR. REYNOLDS: I think the exciting point is that the industry
has taken it up, the standards organizations are going, and there’s no reason
for us to believe that whether or not it meets – it’s the early pilots.
Something’s going to come out, and we should be able to consider adopting it.
That’s what I think I heard.

DR. COHN: Yes, that’s probably no reason not to include in
pilots. I think we could certainly say that, at this point.

MS. FRIEDMAN: Especially in reference to the codified sig.

DR. COHN: Maria was sort of commenting that she thought the
codified sig would likely also be able to be in the pilot also, so I think we
could probably say that.

I think that rounds out. The standards we’re getting before
plus those three rounds out a pretty nice package —

DR. COHN: Okay.

MR. REYNOLDS: — to go forward with the pilot.

MS. FRIEDMAN: Just me clarify this. If the formulary medication
history standard gets through the accreditation process, then we can adopt
those as foundation standards that do not need to be piloted, but they will be
ready for us by Part D.

MR. REYNOLDS: Right That’s true.

MS. FRIEDMAN: And that’s the big if, and so that only leaves
just the structured sig, if that gets the sufficient likeness, if you will, to
be piloted.

DR. COHN: What are we saying here? I sort of just missed what
you were saying. You were saying that we’re going to advise the Secretary that
this could be adopted as a foundation standard?

MS. FRIEDMAN: Well, that’s what the NPRM says. If the formulary
medication history standards get through the process, they can be adopted as a
foundation standard. They don’t need to be pilot tested.

MR. REYNOLDS: Just like NCPDP SCRIPT.

MR. BLAIR: The NPRM did say that and its rationale for saying
that they could do that was because if there wasn’t significant modifications
from the way the protocols are used today, then there already is industry
experience?

MS. FRIEDMAN: Right.

MR. BLAIR: So that was the rationale for –

MS. FRIEDMAN: Right.

MR. BLAIR: — why they could do that.

DR. COHN: I guess we’ll have to look at the wording on that and
sort of see where we come up. I’m a little uncomfortable at this point and I’d
have to go back

and either review testimony or maybe hear additional testimony
after this is completed to make sure the industry at that point feels that it’s
appropriate as a foundation or a pilot —

MR. REYNOLDS: Exactly.

DR. COHN: — because only because I think they have
significantly different ramifications given that we’re talking about putting
things in in a required basis for all health plans as well as anybody using
e-prescribing starting January 1st, 2006.

MS. FRIEDMAN: That’s why I wanted to bring that up and make
sure everybody understands that it’s in the NPRM that way.

DR. COHN: Okay. Well – okay. But we’ll take a look at the
wordsmithing and sig could certainly be piloted.

Now, do we want to quickly go through the list here of things
or do we – obviously, we didn’t get to a lot of them. We obviously have
talked about electronic signature; we’re going to have issues related to
privacy and security which really shift to e-prescribing; we have a directory
that would identify prescribers, nursing facilities and pharmacies – I
don’t think we’ve done any work on that; codification of allergens, drug
interactions and other adverse reactions to drugs – we have not done any

work on that –

MR. BROOK: The directory, there’s work done.

DR. COHN: Oh, that was an NCPDP testimony; I’m sorry. Thank
you.

Codification of allergens, drug interactions and other adverse
reactions to drugs have not been, to my knowledge, worked on. Incorporation of
indications for drug therapy into e-prescribing messages. I’m actually just
sort of looking through the remainder of these and I’m not –

MS. FRIEDMAN: Units of measure, I believe, is being addressed
to a certain extent in a codified sig. I don’t know if it’s a full-blown –
correct me if I’m wrong. Is that correct?

DR. COHN: Okay. So methods for patient identification for
e-prescribing, I think that’s a to do item, along with privacy and
confidentiality, and next more of a general MHII issue. Use of the national
health plan ID for e-prescribing, I don’t think we’ve discussed that. Formulary
identifier. Exchange of medication history among all participants in the
e-prescribing process, I think that’s a to do. Exchange of medical history
within the e-prescribing process, that’s another probably longer term to do.
How to be insure the interoperability among e-prescribing standards, that’s
clearly something we’re

working on and I think want to make a comment on.

MS. AMATAYAKUL: In this letter or in your separate letter?

MS. GREENBERG: What separate letter?

DR. COHN: The NPRM letter. Well, we might want to make a
comment on both, actually, just updating on the progress relating to HL7 and
NCPDP for prescribing and work being done and then we can maybe – this is
must more of an update of progress being made, the other one being more of a
point of view around all of that.

Standard codes for orderable items, I don’t think we’ve done
anything on that.

MS. FRIEDMAN: Is that by itself or in a context of RxNorm?
Didn’t Stewart say they were addressing some of that in RxNorm now?

DR. COHN: Oh, that’s right – okay. At some point.

Exchange of drug labeling and drug listing, I don’t think we
can make much comment on that. Maybe we want to make a comment about SPLs is
working and moving forward, that’s fine.

Clinical decision support in e-prescribing, I think we
investigated that and I don’t know – we could certainly reference the
white paper coming out of –

I think other than referencing the white paper

that was developed on clinical support, I don’t think we found
that there was a lot more to be done in all of that.

So I think the reality is we’ve handled some things but
obviously haven’t done everything between September and at this point. I think
we need to congratulate ourselves on the work that we’ve done though there’ll
be a lot more over the next couple of weeks. Anyway, we’ll be asking Margaret
to do some additional drafting, then we’ll be discussing during conference
calls.

Now the other piece that we need to talk about is the Notice of
Proposed Rule and responding to it, and I’ve asked Jeff and Harry to take the
lead on that and they’ll actually be sort of chairing the discussions on it.

I don’t know if either of you have perspectives that you want
to share because clearly it’ll be part of our conference calls and I think
we’ll need to figure out whether Margaret or Maria are beginning to right
things up. I guess my own hope is that it would be heavily reliant on our
previous recommendations, but that’s just one man speaking. Harry, do you want
to comment, and Jeff, also?

MR. REYNOLDS: Jeff, go ahead first.

DR. COHN: Jeff, you go first.

MR. BLAIR: With respect to the work we do on our commenting on
the NPRM?

DR. COHN: Yes.

MR. BLAIR: My only thought is that I think we’re going to need
a lot of time for the conference calls to be able to work through that and,
Maria, if we don’t have the times, do we at least have the days when it looks
like the –

MS. FRIEDMAN: No, I have to check people’s schedules. I’ll get
out an email this afternoon.

MR. BLAIR: Okay. I would think that we’re going to need at
least two fairly sizable conference calls to finish off this letter on
e-prescribing and, gosh, we may need two sessions on our comments on the regs.

I do think that – Margaret, are you in a position where
you would be able to –

MS. FRIEDMAN: I would like to note that the comment period on
the reg is through April, though I know we have to get to the full Committee in
March. So that’s –

MR. BLAIR: Right.

MS. FRIEDMAN: — why we have to do it now, right?

MR. BLAIR: It means that, yes, we don’t have another meeting
before then to be able to try to pull this together.

I think we wound up – you know, Steve had a couple of
observations, I had a couple, and I went ahead and I mapped our recommendations
to the NPRM so some of the divergences were – Simon, I don’t know what I
could say. Margaret?

MS. AMATAYAKUL: Yes, Jeff?

MR. BLAIR: If you take Steve’s observations and I’ll send you
an email with some of my observations to get started where you’d be able to
create a draft that we could review for one of our conference calls?

MS. AMATAYAKUL: Yes, I could do that.

MR. REYNOLDS: Jeff, this is Harry. One thins to maybe add to it
is for the first conference that you’re having set up, Simon, if anyone else
has input, I mean, obviously Jeff has mapped it, Steve made some comments, if
any of the rest of the Committee has subjects or areas that they think we
should comment on, if they could at least say those at the beginning or
sometime in the first conference call and not take up the time from what we’re
doing with this letter –

MS. FRIEDMAN: Or ship them off to Margaret, email Margaret.

MR. REYNOLDS: Okay, get them to Margaret, then Jeff and I and
Margaret could work on that draft –

MR. BLAIR: Yes.

MR. REYNOLDS: — and then whenever it got in, we will have at
least had everybody’s upfront areas that they wanted to have some comments
about and then we could

obviously share that.

MR. BLAIR: And the other piece is that I don’t feel a need to
comment on all of the areas where the NPRM did not include recommendations, for
example, that we made on pilot tests or working together to encourage
coordination among the SDOs. I don’t feel – you know, those things
wouldn’t normally be in the NPRM anyway. So I think the only things we would
comment on are things where clarification is needed or there’s a level of
uncomfort in the NPRM.

MS. FRIEDMAN: Or if there’s an area in the preamble where we
ask for comment, if there’s something major we left out that we didn’t address,
you think we should do as a public comment on? But again, are the foundation
standards, are they the right ones –

DR. COHN: And all the other questions that we know about. Yes.

Obviously, I guess what I would hope is that we’re not
producing another 10-page tome.

MR. REYNOLDS: Yes, absolutely.

DR. COHN: We need to be aware that we have sent them already a
16-page document which was the basis of the NPRM, so we should be selective in
our comments. Jeff, as I think you commented, the important comments that we
need to make, if there are items or responses that we need to

their questions and there aren’t actually all that many things
that they’re asking about, we can certainly make them but we don’t need to feel
that we need to feel responsible for commenting on every question that they
have knowing that some we have already commented on.

MR. REYNOLDS: And since we’ll be one of about 2,000 responses,
we probably need to be very clear. I did that for Maria’s benefit.

MS. FRIEDMAN: Thank you!

DR. COHN: And certainly, there should be no shame in heavily
quoting passages from the previous set of recommendations if they are
applicable. You know, we can sort of point things out and reemphasize, maybe
even further state or whatever, but I don’t think that there’s any shame in
sort of drawing attention back to the original document, which was an excellent
document.

MR. BLAIR: Are we able to shamelessly pander to HHS by
indicating how we thought that they based their NPRM on excellent input?

DR. COHN: I think that probably would be well taken by us.

[Laughter.]

DR. COHN: Now, so anyway, what we will do I don’t anticipate
that these will be separate conference calls. I expect that we will be handling
the letter and

the NPRM sort of simultaneously so I’m anticipating we will
have four conference calls, but we will just need to make sure that we have
adequate time in the number of conference calls that we are able to schedule to
do all of that and we’re just going to have to do what we can.

Obviously, I think our intent and hope was to get this handled
by the President’s Birthday. I’m hoping at least we’ll have one of the two done
by that time and maybe the other one done the week after or something on that
level. That may be a little optimistic but we will, I think, just all strive to
do what we can.

Now, as I think we commented, for those remaining in
attendance, these will be public conference calls and we will be posting the
information on, the caller numbers and all of that, and as always we appreciate
your help and input as we move forward. That’s life.

Anyway, any final comments before we adjourn? Okay. I want to
thank everybody. We couldn’t do this without the help of the staff, and, Maria,
thank you, and Marjorie, and Donna, Michael, Jorge and Steve, and obviously
Marietta and others and obviously, the wonderful Subcommittee members, and
thank you for your work.

With that, the meeting is adjourned.

[Meeting is adjourned at 12:32 P.M.]